New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 599626 link

Starred by 0 users

Issue metadata

Status: Duplicate
Owner:
Use other robhogan account instead.
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::LayoutObject::isAnonymousBlock

Project Member Reported by ClusterFuzz, Mar 31 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227374596685824

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x15f7be0f
Crash State:
  blink::LayoutObject::isAnonymousBlock
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381899:383055

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95VBQEzSJrfUUS11wOuvMCY1pJqsnYIEIHT-dV2g8-UH4SU-Mj0D0bWeyvRgq0wp431l9LcX3U5iAxrGbIYqESQmJBpTYTZ4MGwXi56ozIbfSOO7O1j3Zqw5Iw-n9DB2RTiqj0nMvlWG6n7UlLb4hJLkq4pjg
<style>
*{display:list-item;}
.CLASS9{vertical-align:text-bottom;-webkit-appearance:listbox;</style>
<ruby class="CLASS9">
<object>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: le...@chromium.org e...@chromium.org
Owner: robhogan@chromium.org
Status: Assigned (was: Available)
Mergedinto: 598722
Status: Duplicate (was: Assigned)
I have a CL in review for 598722. 
Project Member

Comment 3 by ClusterFuzz, Apr 1 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227374596685824

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x15f7be0f
Crash State:
  blink::LayoutObject::isAnonymousBlock
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381899:383055

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95VBQEzSJrfUUS11wOuvMCY1pJqsnYIEIHT-dV2g8-UH4SU-Mj0D0bWeyvRgq0wp431l9LcX3U5iAxrGbIYqESQmJBpTYTZ4MGwXi56ozIbfSOO7O1j3Zqw5Iw-n9DB2RTiqj0nMvlWG6n7UlLb4hJLkq4pjg
<style>
*{display:list-item;}
.CLASS9{vertical-align:text-bottom;-webkit-appearance:listbox;</style>
<ruby class="CLASS9">
<object>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 16 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment