New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Oct 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment
Container-overflow in blink::HTMLTreeBuilder::processStartTagForInBody
Project Member Reported by ClusterFuzz, Aug 28 2015 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6528698780483584

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Container-overflow READ 8
Crash Address: 0x604000294a38
Crash State:
  blink::HTMLTreeBuilder::processStartTagForInBody
  blink::HTMLTreeBuilder::processStartTag
  blink::HTMLTreeBuilder::processToken
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=316591:316716

Minimized Testcase (0.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Hw1FRIJFV7BIbdp9qk0IZ2JccuBHil-uXYFYc_wo2NknT6Duz33lDDlf9mOfUcHNop-yTrKdxk13VVJJjfBVU7lr5eGT7j_7Ed9SD8B31313houMDAvyfT0FckhG93RSzlAH5p5Z7jjh4rzZnakeZxMt9sg

Additional requirements: Requires Gestures

Filer: mbarbella

See https://sites.google.com/a/chromium.org/dev/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member Comment 1 by ClusterFuzz, Aug 28 2015
Labels: Pri-1
Project Member Comment 2 by ClusterFuzz, Sep 1 2015
Labels: Missing_Owner-1
(Note the regression range on this is useless, as it appears to contain the CL that enabled this particular check -- so the problem is undoubtedly older).
Owner: kouhei@chromium.org
Assigning per Source/core/html/parser/OWNERS.
Labels: -Missing_Owner-1 M-46
Project Member Comment 6 by ClusterFuzz, Sep 19 2015
Labels: Nag
kouhei@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 7 by kouhei@chromium.org, Sep 29 2015
Cc: y...@yoav.ws
Comment 8 by y...@yoav.ws, Sep 29 2015
Thanks for adding me! Still having trouble seeing the minimized testcase. Can you please attach it here? (Or send it to me by mail)
Status: Fixed
Project Member Comment 11 by ClusterFuzz, Oct 13 2015
Labels: -Restrict-View-SecurityTeam Merge-Triage M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -M-46 -Nag -Merge-Triage Merge-NA Release-0-M47
Project Member Comment 13 by ClusterFuzz, Jan 19 2016
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 14 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 15 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment