Issue metadata
Sign in to add a comment
|
Security: blink::ShapeOutsideInfo type confuse
Reported by
loves...@gmail.com,
Mar 2 2016
|
||||||||||||||||||||||
Issue description
This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.
Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs
VULNERABILITY DETAILS
(fc0.94c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06414000 ebx=03806a80 ecx=06414000 edx=00000000 esi=fffaf0ec edi=06414000
eip=5d3a260c esp=0024e79c ebp=0024e7cc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x4:
5d3a260c 8b4708 mov eax,dword ptr [edi+8] ds:0023:06414008=????????
2:051> k
ChildEBP RetAddr
0024e7a0 5d977280 chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x4 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\shapes\shapeoutsideinfo.cpp @ 266]
0024e7cc 5d977515 chrome_child!blink::ComputeFloatOffsetForLineLayoutAdapter<2>::updateOffsetIfNeeded+0x37 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\floatingobjects.cpp @ 602]
0024e7e4 5d3a2016 chrome_child!blink::ComputeFloatOffsetAdapter<2>::collectIfNeeded+0x44 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\floatingobjects.cpp @ 575]
0024e800 5d977084 chrome_child!blink::PODIntervalTree<blink::LayoutUnit,blink::FloatingObject *>::searchForOverlapsFrom<blink::ComputeFloatOffsetForLineLayoutAdapter<2> >+0x39 [c:\b\build\slave\win\build\src\third_party\webkit\source\platform\podintervaltree.h @ 181]
0024e838 5d924242 chrome_child!blink::FloatingObjects::logicalRightOffset+0x71 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\floatingobjects.cpp @ 525]
0024e860 5d926964 chrome_child!blink::LayoutBlockFlow::endOffsetForLine+0x81 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblockflow.h @ 122]
0024e8b0 5cfc5b71 chrome_child!blink::LayoutBox::shrinkLogicalWidthToAvoidFloats+0x5d [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 1615]
0024e8dc 5cfc575b chrome_child!blink::LayoutBox::computeLogicalWidthUsing+0x100 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 2197]
0024e93c 5cfc521c chrome_child!blink::LayoutBox::computeLogicalWidth+0x4dd [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 2105]
0024e968 5cfc1e62 chrome_child!blink::LayoutBox::updateLogicalWidth+0x30 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutbox.cpp @ 2014]
0024e97c 5cfc1e0e chrome_child!blink::LayoutBlock::updateLogicalWidthAndColumnWidth+0x2c [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblock.cpp @ 913]
0024e988 5cfc1912 chrome_child!blink::LayoutBlockFlow::updateLogicalWidthAndColumnWidth+0x9 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblockflow.cpp @ 188]
0024e9fc 5cfc15b8 chrome_child!blink::LayoutBlockFlow::layoutBlockFlow+0x32 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblockflow.cpp @ 329]
0024ea74 5cfc1467 chrome_child!blink::LayoutBlockFlow::layoutBlock+0x82 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblockflow.cpp @ 296]
0024eaa0 5d82fbee chrome_child!blink::LayoutBlock::layout+0xcf [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\layoutblock.cpp @ 888]
0024ead8 5cfc033f chrome_child!blink::FrameView::layoutOrthogonalWritingModeRoots+0xf4 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 1782]
0024eb34 5cfbd1fa chrome_child!blink::FrameView::performLayout+0xb2 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 860]
0024ec00 5d098257 chrome_child!blink::FrameView::layout+0x690 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\frame\frameview.cpp @ 1043]
0024ec18 5d0931d5 chrome_child!blink::Document::implicitClose+0x20f [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 2708]
0024ec30 5cf61bde chrome_child!blink::FrameLoader::checkCompleted+0xd4 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 579]
0024ec38 5cf617bd chrome_child!blink::FrameLoader::finishedParsing+0x85 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp @ 496]
0024ec90 5cf616e4 chrome_child!blink::Document::finishedParsing+0xcc [c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\document.cpp @ 4766]
0024eca0 5cf577dc chrome_child!blink::HTMLDocumentParser::end+0x4a [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 899]
0024ecb8 5d0ad4fa chrome_child!blink::HTMLDocumentParser::prepareToStopParsing+0xf5 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 285]
0024ed74 5d0acfc0 chrome_child!blink::HTMLDocumentParser::processParsedChunkFromBackgroundParser+0x297 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 510]
0024ee78 5d0f225b chrome_child!blink::HTMLDocumentParser::pumpPendingSpeculations+0x271 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 587]
0024ee88 5d169489 chrome_child!blink::HTMLDocumentParser::resumeParsingAfterScriptExecution+0x34 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 1044]
0024ee90 5d11cb3c chrome_child!blink::HTMLDocumentParser::notifyScriptLoaded+0x6b [c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\parser\htmldocumentparser.cpp @ 1073]
0024eea4 5d11c9b4 chrome_child!blink::ScriptStreamer::notifyFinishedToClient+0x43 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\scriptstreamer.cpp @ 646]
0024eeb0 5d0865c7 chrome_child!blink::ScriptStreamer::streamingComplete+0x15 [c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\scriptstreamer.cpp @ 619]
0024eeb8 5d0865b6 chrome_child!scheduler::WebTaskRunnerImpl::runTask+0xb [c:\b\build\slave\win\build\src\components\scheduler\child\web_task_runner_impl.cc @ 50]
0024eecc 5ce6b61e chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >)>,void __cdecl(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >),base::internal::PassedWrapper<scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<webcrypto::`anonymous namespace'::DeriveBitsState,std::default_delete<webcrypto::`anonymous namespace'::DeriveBitsState> >)> >,void __cdecl(void)>::Run+0x21 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
0024ef28 5cf0b767 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0024efd4 5cf0ab07 chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1d3 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 292]
0024f100 5cf0a9dc chrome_child!scheduler::TaskQueueManager::DoWork+0x122 [c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc @ 200]
0024f114 5cf0a99b chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >::MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks const &,bool const &>+0x39 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 314]
0024f13c 5ce6b61e chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run+0x2e [c:\b\build\slave\win\build\src\base\bind_internal.h @ 354]
0024f198 5ce6b424 chrome_child!base::debug::TaskAnnotator::RunTask+0x134 [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 51]
0024f204 5ce6b217 chrome_child!base::MessageLoop::RunTask+0x185 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 488]
0024f338 5ce6d142 chrome_child!base::MessageLoop::DoWork+0x478 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 608]
0024f35c 5ce6760f chrome_child!base::MessagePumpDefault::Run+0xc6 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc @ 34]
0024f378 5ce6ac34 chrome_child!tracked_objects::ThreadData::Get+0x26 [c:\b\build\slave\win\build\src\base\tracked_objects.cc @ 371]
0024f388 5ce6ab5b chrome_child!tracked_objects::TaskStopwatch::Start+0x46 [c:\b\build\slave\win\build\src\base\tracked_objects.cc @ 840]
0024f3b0 5ce6aaa0 chrome_child!base::RunLoop::Run+0x3e [c:\b\build\slave\win\build\src\base\run_loop.cc @ 57]
0024f3dc 5cebc564 chrome_child!base::MessageLoop::Run+0x22 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 294]
0024f574 5ce62294 chrome_child!content::RendererMain+0x329 [c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc @ 227]
0024f588 5ce62210 chrome_child!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 395]
0024f5d4 5ce47d89 chrome_child!content::ContentMainRunnerImpl::Run+0x5f [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 764]
0024f5e4 5ce47a6a chrome_child!content::ContentMain+0x23 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome.exe -
0024f628 013684e6 chrome_child!ChromeMain+0x61 [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 70]
WARNING: Stack unwind information not available. Following frames may be wrong.
0024f6c0 0136773a chrome!ReportCrashWithProtobufAndMemoryRanges+0x4c2
0024f7f8 0139a95a chrome!GetUploadedReportsImpl+0x1a4
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
0024f844 75a5ee1c chrome!IsSandboxedProcess+0x29748
0024f850 76fa3a03 kernel32!BaseThreadInitThunk+0x12
0024f890 76fa39d6 ntdll!RtlInitializeExceptionChain+0xef
0024f8a8 00000000 ntdll!RtlInitializeExceptionChain+0xc2
2:051> lmvm chrome_child
start end module name
5ce40000 5fa32000 chrome_child (private pdb symbols) c:\symbols\chrome_child.dll.pdb\FEAB00576EC345ED92F5097D9E9C82941\chrome_child.dll.pdb
Loaded symbol image file: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\50.0.2655.0\chrome_child.dll
Image path: C:\Users\lovesuae\AppData\Local\Google\Chrome SxS\Application\50.0.2655.0\chrome_child.dll
Image name: chrome_child.dll
Timestamp: Fri Feb 19 13:45:03 2016 (56C6ABDF)
CheckSum: 02AA71A1
ImageSize: 02BF2000
File version: 50.0.2655.0
Product version: 50.0.2655.0
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_dll
OriginalFilename: chrome.dll
ProductVersion: 50.0.2655.0
FileVersion: 50.0.2655.0
FileDescription: Google Chrome
LegalCopyright: Copyright 2015 Google Inc. All rights reserved.
5f5a2608 56 push esi
5f5a2609 57 push edi
5f5a260a 8bf9 mov edi,ecx
5f5a260c 8b4708 mov eax,dword ptr [edi+8] ds:0023:06614008=????????
5f5a260f 8b4014 mov eax,dword ptr [eax+14h]
5f5a2612 8bb084000000 mov esi,dword ptr [eax+84h]
5f5a2618 8b471c mov eax,dword ptr [edi+1Ch]
5f5a261b c1e80d shr eax,0Dh
5f5a261e a801 test al,1
5f5a2620 744e je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x68 (5f5a2670)//pass
5f5a2622 85f6 test esi,esi
5f5a2624 744a je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x68 (5f5a2670)//pass
5f5a2626 8b4604 mov eax,dword ptr [esi+4]
5f5a2629 83e800 sub eax,0
5f5a262c 7438 je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x5e (5f5a2666)//pass
5f5a262e 48 dec eax
5f5a262f 7430 je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x59 (5f5a2661)//pass
5f5a2631 48 dec eax
5f5a2632 753c jne chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x68 (5f5a2670)//pass
5f5a2634 8bce mov ecx,esi
5f5a2636 e8d4785b00 call chrome_child!blink::ShapeValue::isImageValid (5fb59f0f) // ecx <- [esi+0Ch]
5f5a263b 84c0 test al,al
5f5a263d 741d je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x54 (5f5a265c)
5f5a263f 8bcf mov ecx,edi
5f5a2641 e8ae7ac2ff call chrome_child!blink::LayoutObject::document (5f1ca0f4)
5f5a2646 8b560c mov edx,dword ptr [esi+0Ch]
5f5a2649 8bc8 mov ecx,eax
5f5a264b e8ea7c5b00 call chrome_child!blink::checkShapeImageOrigin (5fb5a33a)
5f5a2650 84c0 test al,al
5f5a2652 7408 je chrome_child!blink::ShapeOutsideInfo::isEnabledFor+0x54 (5f5a265c)
5f5a2654 b801000000 mov eax,1
5f5a2659 5f pop edi
5f5a265a 5e pop esi
5f5a265b c3 ret
Let’s take a look of the code:
https://chromium.googlesource.com/chromium/src.git/+/50.0.2657.3/third_party/WebKit/Source/core/layout/shapes/ShapeOutsideInfo.cpp
bool ShapeOutsideInfo::isEnabledFor(const LayoutBox& box)
{
ShapeValue* shapeValue = box.style()->shapeOutside(); //crash here, shapeValue can be control
if (!box.isFloating() || !shapeValue)
return false;
switch (shapeValue->type()) {
case ShapeValue::Shape:
return shapeValue->shape();
case ShapeValue::Image:
//control EIP in checkShapeImageOrigin
return shapeValue->isImageValid() && checkShapeImageOrigin(box.document(), *(shapeValue->image()));
case ShapeValue::Box:
return true;
}
return false;
}
https://chromium.googlesource.com/chromium/src.git/+/50.0.2657.3/third_party/WebKit/Source/core/style/ShapeValue.h
bool isImageValid() const
{
if (!image())
return false;
if (image()->isImageResource() || image()->isImageResourceSet())
return image()->cachedImage() && image()->cachedImage()->hasImage();
return image()->isGeneratedImage();
}
3:033> u
chrome_child!blink::checkShapeImageOrigin+0x17 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\shapes\shapeoutsideinfo.cpp @ 88]:
5fb5a351 57 push edi
5fb5a352 8bf9 mov edi,ecx
5fb5a354 7409 je chrome_child!blink::checkShapeImageOrigin+0x25 (5fb5a35f)
5fb5a356 b001 mov al,1
5fb5a358 5f pop edi
5fb5a359 5e pop esi
5fb5a35a 5b pop ebx
5fb5a35b 8be5 mov esp,ebp
3:033> u 5fb5a35f
chrome_child!blink::checkShapeImageOrigin+0x25 [c:\b\build\slave\win\build\src\third_party\webkit\source\core\layout\shapes\shapeoutsideinfo.cpp @ 92]:
5fb5a35f 8b02 mov eax,dword ptr [edx]
5fb5a361 8bca mov ecx,edx
5fb5a363 ff5040 call dword ptr [eax+40h] //control EIP here
5fb5a366 ff7758 push dword ptr [edi+58h]
5fb5a369 8bf0 mov esi,eax
5fb5a36b 8bce mov ecx,esi
5fb5a36d e86842e4ff call chrome_child!blink::ImageResource::isAccessAllowed (5f99e5da)
5fb5a372 84c0 test al,al
VERSION
Chrome Version: [50.0.2655.0 dev-m] + [51.0.2663.0 canary]
Operating System: [Please indicate OS, version, and service pack level]
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
,
Mar 2 2016
,
Mar 2 2016
jialiul, assuming this is a valid report, this would be a security bug.
,
Mar 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5983572474724352
,
Mar 2 2016
Note that this is most likely a dupe of bug 588178, which was discovered about 2 weeks ago internally. Uploading to CF to make sure.
,
Mar 2 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983572474724352 Uploader: ochang@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200003d110 Crash State: blink::ShapeOutsideInfo::isEnabledFor blink::LayoutBox::shapeOutsideInfo blink::ComputeFloatOffsetForLineLayoutAdapter< Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=378711:378728 Minimized Testcase (0.65 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95XEyMKwg855gO3WN3ZA9cUEnXtbV0EDNyctIedRbaCJGtS5zrneKROqx08OjyZXpKr78v8hOswZ_P6EbOVQD1wQ5Lv1HXNp38esdcUuKB0SxJbRf1ZYA54KyORQ1pfFoxSaDea4W2SRR-mlYnQjEcJ_H3Www <head id="head"> <meta charset="utf-8" id="meta1"> http-equiv="Cache-Control" content="no-cache" id="meta2"> <title id="title">cm45.eng.1.0.001.js -> cm45.1.0.001.php: 20160218_172126</title> <style id="style"> * { transition-delay: 1; content: no-open-quote; float: right; } BODY { writing-mode: initial; } * { writing-mode: vertical-lr; } </style> <script type="text/javascript"> function fuzzing_start() { ; document.styleSheets[0].deleteRule(0);; } </script> <body id="body" onload="fuzzing_start();"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Mar 2 2016
,
Jun 14 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983572474724352 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200003e610 Crash State: blink::ShapeOutsideInfo::isEnabledFor blink::LayoutBox::shapeOutsideInfo blink::ComputeFloatOffsetForLineLayoutAdapter< Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=373065:373191 Minimized Testcase (0.43 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95NhxF1ONdInw_KbOiejUqiiJ1u851MuPD33CNA928tGvkz9gfsygR7-uB_b2yF7upqQOTQkuKbZxOFUt7GFOl5UkCQb7ML1l2smYAekRqoVu2cPT1nsJr1oNdjRk1D1FThVn2rmJyXCikMO0T6JSvdjk4g3Q?testcase_id=5983572474724352 <style> * { content: no-open-quote; float: right; } BODY { writing-mode: initial; } * { writing-mode: vertical-lr; </style> <script> function fuzzing_start() { g_ele_ref_son = document.createElement('I');; g_ele_ref_son.offsetWidth;; document.styleSheets[0].deleteRule(0);; } </script> <body onload="fuzzing_start();"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 29 2016
ClusterFuzz has detected this issue as fixed in range 383194:384397. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983572474724352 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200003e610 Crash State: blink::ShapeOutsideInfo::isEnabledFor blink::LayoutBox::shapeOutsideInfo blink::ComputeFloatOffsetForLineLayoutAdapter< Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=373065:373191 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397 Minimized Testcase (0.43 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95NhxF1ONdInw_KbOiejUqiiJ1u851MuPD33CNA928tGvkz9gfsygR7-uB_b2yF7upqQOTQkuKbZxOFUt7GFOl5UkCQb7ML1l2smYAekRqoVu2cPT1nsJr1oNdjRk1D1FThVn2rmJyXCikMO0T6JSvdjk4g3Q?testcase_id=5983572474724352 <style> * { content: no-open-quote; float: right; } BODY { writing-mode: initial; } * { writing-mode: vertical-lr; </style> <script> function fuzzing_start() { g_ele_ref_son = document.createElement('I');; g_ele_ref_son.offsetWidth;; document.styleSheets[0].deleteRule(0);; } </script> <body onload="fuzzing_start();"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983572474724352 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61200003e610 Crash State: blink::ShapeOutsideInfo::isEnabledFor blink::LayoutBox::shapeOutsideInfo blink::ComputeFloatOffsetForLineLayoutAdapter< Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=373065:373191 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397 Minimized Testcase (0.43 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95NhxF1ONdInw_KbOiejUqiiJ1u851MuPD33CNA928tGvkz9gfsygR7-uB_b2yF7upqQOTQkuKbZxOFUt7GFOl5UkCQb7ML1l2smYAekRqoVu2cPT1nsJr1oNdjRk1D1FThVn2rmJyXCikMO0T6JSvdjk4g3Q?testcase_id=5983572474724352 <style> * { content: no-open-quote; float: right; } BODY { writing-mode: initial; } * { writing-mode: vertical-lr; </style> <script> function fuzzing_start() { g_ele_ref_son = document.createElement('I');; g_ele_ref_son.offsetWidth;; document.styleSheets[0].deleteRule(0);; } </script> <body onload="fuzzing_start();"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 21 2016
is this case repro again?
,
Aug 22 2016
RE #12, no, this issue is already fixed. Thanks for reporting!
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Mar 2 2016Components: Blink>Layout
Labels: Security_Impact-Head
Owner: kojii@chromium.org