Crash in blink::KeyframeEffect::create |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4886449027022848 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: blink::KeyframeEffect::create blink::V8KeyframeEffect::constructorCallback v8::internal::FunctionCallbackArguments::Call Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97pF9rKu_llns4vnB5JGeD_WLPABj-V64DCZaKHB_7EMwFe6jBk-ctv0dKZceXIA46v9A8CYN3r_qKuMP2wf1Yv2ZyYd6rCENVfYmYZ1rlIsGnIj5byS2BkJcJv0QlMxXTz_0Y5GeP0TPvorPCz1L7EzrzUPg <script> var element = document.getElementById('e'); var keyframes = [{}, {}]; var keyframeEffectBasic = new KeyframeEffect(element, keyframes); var timingNumberDuration = {duration: 2}; var animationNumberDuration = new KeyframeEffect(element, keyframes, timingNumberDuration); </script> Filer: suzyh See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 27 2016
Minimal repro: new KeyframeEffect(null, [], {});
The use counting in KeyframeEffect.cpp is not checking whether element is null or not before dereferencing. This does not affect stable, only experimental.
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/854ebb61d6015583d1d3650147390be006725cd2 commit 854ebb61d6015583d1d3650147390be006725cd2 Author: alancutter <alancutter@chromium.org> Date: Tue May 10 14:40:05 2016 Fix null crash when creating KeyframeEffects with null targets BUG= 607082 Review-Url: https://codereview.chromium.org/1965693002 Cr-Commit-Position: refs/heads/master@{#392600} [add] https://crrev.com/854ebb61d6015583d1d3650147390be006725cd2/third_party/WebKit/LayoutTests/animations/keyframe-effect-null-target-crash.html [modify] https://crrev.com/854ebb61d6015583d1d3650147390be006725cd2/third_party/WebKit/Source/core/animation/KeyframeEffect.cpp
,
May 11 2016
,
May 11 2016
ClusterFuzz has detected this issue as fixed in range 392597:392661. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4886449027022848 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: blink::KeyframeEffect::create blink::V8KeyframeEffect::constructorCallback v8::internal::FunctionCallbackArguments::Call Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=392597:392661 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97pF9rKu_llns4vnB5JGeD_WLPABj-V64DCZaKHB_7EMwFe6jBk-ctv0dKZceXIA46v9A8CYN3r_qKuMP2wf1Yv2ZyYd6rCENVfYmYZ1rlIsGnIj5byS2BkJcJv0QlMxXTz_0Y5GeP0TPvorPCz1L7EzrzUPg <script> var element = document.getElementById('e'); var keyframes = [{}, {}]; var keyframeEffectBasic = new KeyframeEffect(element, keyframes); var timingNumberDuration = {duration: 2}; var animationNumberDuration = new KeyframeEffect(element, keyframes, timingNumberDuration); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by suzyh@chromium.org
, Apr 27 2016Components: Blink>Animation