New issue
Advanced search Search tips

Issue 610538 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

BR Apple-interchange-newline makes InsertHTML command crash

Project Member Reported by ClusterFuzz, May 10 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5415502242906112

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  blink::CompositeEditCommand::insertNodeAfter
  blink::InsertParagraphSeparatorCommand::doApply
  blink::CompositeEditCommand::applyCommandToComposite
  

Minimized Testcase (0.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96xS7F6Kjm4nAo4kVdVT6dyjU5fR6yAaFCH9KZAOdifmZoBf7Ez5GwlwKdmtzK1NfUsTODxwBi-l-0P5e_8qnyPY_Gh_Lcs2PzbL0QKBClPorOpk3O6b5YgSFH0aYW-PHAz2PdHJES4wGX3TMbDdYvowz2muA

Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>Editing Tools>Test>FindIt>CorrectResult
Labels: Te-Logged M-51
Owner: tkent@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: wibling@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a4c3a7dd738ac5789cbdbf82b6c63627154ec46a
Time: Thu Apr 03 13:08:44 2014
The CL last changed line 728 of file Handle.h, which is stack frame 0.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/45632fb469f9738299adf8f0877812138bd6d682
Time: Tue Feb 16 07:06:59 2016
The CL last changed line 269 of file InsertParagraphSeparatorCommand.cpp, which is stack frame 1.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 254 of file CompositeEditCommand.cpp, which is stack frame 2.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f30215cd15c1afe7c6dd6ace0f7bc434bcef5e0a
Time: Tue Feb 16 07:04:24 2016
The CL last changed line 300 of file CompositeEditCommand.cpp, which is stack frame 3.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f30215cd15c1afe7c6dd6ace0f7bc434bcef5e0a
Time: Tue Feb 16 07:04:24 2016
The CL last changed line 1058 of file ReplaceSelectionCommand.cpp, which is stack frame 4.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 208 of file CompositeEditCommand.cpp, which is stack frame 5.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7840a79114afc7071c77cf3b7337570a6fbb156d
Time: Fri Feb 19 04:15:19 2016
The CL last changed line 262 of file EditorCommand.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Editing

Comment 2 by tkent@chromium.org, May 10 2016

Owner: ----
Status: Untriaged (was: Assigned)
Route to Editing triage.

Comment 3 by yosin@chromium.org, May 11 2016

Labels: -Pri-1 OS-Windows Pri-2
Status: Available (was: Untriaged)
Summary: BR Apple-interchange-newline makes InsertHTML command crash (was: Crash in blink::CompositeEditCommand::insertNodeAfter)
Lower to Pri-2 because usage of InsertHTML w/ Apple-Interchange-Newline is low.

Below is DOM tree at assertion:
BODY	0000013E14F632F8 (editable) (focused)
	A	0000013E14F63D88 (editable)
		BLOCKQUOTE	0000013E14F63868 (editable)
			DIV	0000013E14F63690 (editable)
				#text	0000013E14F636F8 "Two"
	BLOCKQUOTE	0000013E14F63A88 STYLE="display: inline !important;" (editable)
		DIV	0000013E14F63AF0 STYLE="display: inline !important;" (editable)
			A	0000013E14F63E18 STYLE="display: inline !important;" (editable)
SE				#text	0000013E14F63B58 "Three"
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by ClusterFuzz, Mar 9 2017

ClusterFuzz has detected this issue as fixed in range 455091:455392.

Detailed report: https://clusterfuzz.com/testcase?key=5415502242906112

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  blink::CompositeEditCommand::insertNodeAfter
  blink::InsertParagraphSeparatorCommand::doApply
  blink::CompositeEditCommand::applyCommandToComposite
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=455091:455392

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95VifM5eq1PmozIBwz7vlQqcyN5Wz2tES25tJokQMOm5uXO0IQ4FZFPsgylJD41jF9e9jCgqSYWJsr61-8Ma04YE0a_nDF9TD3QhVHki4J8PUCKZ_gLf561mvazlTriIQS930H9UmkeFEvVNYpNhsBYMBjAAw?testcase_id=5415502242906112


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 5415502242906112 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment