New issue
Advanced search Search tips

Issue 604667 link

Starred by 0 users
Status: Duplicate
Merged: issue 604666
Owner:
e...@chromium.org
Closed: Apr 2016
Cc:
attek...@gmail.com
mmoroz@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in blink::LayoutBox::addOverflowFromChild

Project Member Reported by ClusterFuzz, Apr 19 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4682607396126720

Fuzzer: attekett_dom_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutBox::addOverflowFromChild
  blink::LayoutTableSection::computeOverflowFromCells
  blink::LayoutTableSection::recalcChildOverflowAfterStyleChange
  

Minimized Testcase (0.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9633ZP7_0Rrr5Bv8bkrPgvBHifjr_1pTCqYznB0nIrPSYSNLhMPB7-Ag_RTRNlsUiPplHzAO7-6F5ExndvymicgB9Mkv7SxL0WWwQk41HDKiq0jYx6p0hCVAV-UlcLYEQYK2yvNbThc3mXDKkfqjDz5FKnolw

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Apr 19 2016

Owner: e...@chromium.org
Project Member

Comment 2 by ClusterFuzz, Apr 19 2016

Status: Assigned (was: Available)

Comment 3 by mbarbe...@chromium.org, Apr 19 2016

Cc: mmoroz@chromium.org
Components: Blink>Layout
Mergedinto: 604666
Status: Duplicate (was: Assigned)
mmoroz: Just an FYI, MSan potentially reports use-after-frees as uninitialized reads. If you check the creation stack in this case, you'll see:

Uninitialized value was created by a heap deallocation
    #0 0x7fb5d66d97b2 in __interceptor_free

Comment 4 by mmoroz@chromium.org, Apr 27 2016

Labels: -Security_Severity-Low Security_Severity-High
Project Member

Comment 5 by ClusterFuzz, Jun 2 2016 

ClusterFuzz has detected this issue as fixed in range 388178:388349.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4682607396126720

Fuzzer: attekett_dom_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutBox::addOverflowFromChild
  blink::LayoutTableSection::computeOverflowFromCells
  blink::LayoutTableSection::recalcChildOverflowAfterStyleChange
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=388178:388349

Minimized Testcase (0.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9633ZP7_0Rrr5Bv8bkrPgvBHifjr_1pTCqYznB0nIrPSYSNLhMPB7-Ag_RTRNlsUiPplHzAO7-6F5ExndvymicgB9Mkv7SxL0WWwQk41HDKiq0jYx6p0hCVAV-UlcLYEQYK2yvNbThc3mXDKkfqjDz5FKnolw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 29 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment