Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::PrintContext::pageNumberForElement |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4855714882781184 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x17220e70 Crash State: blink::PrintContext::pageNumberForElement blink::Internals::pageNumber blink::InternalsV8Internal::pageNumberMethodCallback Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Minimized Testcase (0.39 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95878yKpl1gMu7OFCylaSD9fgzr3qMR01GQWzRkyq5vGAGTSEKIx7zmkzajm3myaxnSxPGTyC3-WQod_H9UfRX-cxhUFcRkRVdVYwAFipep7KL_G82pXh9hSm2nsYBgkLPiox8htQLbceuls1ZuZRFWDQxChw <style media="screen and (min-width: 30em)"> p.noBreak { display: inline; </style> <script src="../resources/paged-media-test-utils.js"></script> <script> function test() { pageNumberForElementShouldBe('test1'); } </script> <body id="dom-fuzz-73400001" onload="runPrintingTest(test)"> <p id="test1" class="noBreak">This sentence must be on the second page. Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6526956335529984 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60c0000a8d00 Crash State: blink::PrintContext::pageNumberForElement blink::Internals::pageNumber blink::InternalsV8Internal::pageNumberMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94zGxetBVdBEeOKf2XNcOL0D_AtW-UCEbhLi_zqgr5Mr-URzQTEi8lFaM4Pr8Z2LSarwit6BOn78Bu2UTTznnJWRlZybK6iTCdEGdFDHupov9knziUX2fBdhTUTOcc0SmlFGn8Lnv6Yhjno6JLhKABIC571eQ <style media="screen"> div.noBreak { display:inline; </style> <script src="../resources/paged-media-test-utils.js"></script> <script> function test() { pageNumberForElementShouldBe('test'); } </script> <body onload="runPrintingTest(test)"> <div id="test" class="noBreak"> Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 11 2016
CC'ing chrishtr@, since his CL is also suspected: Author: chrishtr@chromium.org Component: chromium-blink Changelist: https://chromium.googlesource.com/chromium/blink.git/+/6c2347e5748b193eacbefaaaeb5c2960e756a87d Time: Thu May 08 19:00:00 2014 Lines 898 of file ContainerNode.cpp which potentially caused crash are changed in this cl (frame #4, "blink::ContainerNode::detach"). Files Element.cpp, Node.cpp are changed in this cl (and is part of stack frame #5, "blink::Element::detach"; frame #7, "blink::Element::recalcOwnStyle") Minimum distance from crash line to modified line: 0. (file: ContainerNode.cpp, crashed on: 898, modified: 898).
,
May 11 2016
,
May 11 2016
,
May 11 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 11 2016
,
May 11 2016
,
May 12 2016
The bug is that PrintContext::begin() calls setPrinting, which may cause a style recalc that deletes the LayoutboxModelObject stored a few lines above.
,
May 12 2016
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fb04c5c901794b87adb71d361558439fb35f5d16 commit fb04c5c901794b87adb71d361558439fb35f5d16 Author: chrishtr <chrishtr@chromium.org> Date: Thu May 12 22:41:36 2016 Fix use-afer-free in PrintContext. The LayoutBoxModelObject may have been deleted during a style recalc triggered by setPrinting(), which PrintContext::begin() calls. BUG= 610979 Review-Url: https://codereview.chromium.org/1973743003 Cr-Commit-Position: refs/heads/master@{#393380} [modify] https://crrev.com/fb04c5c901794b87adb71d361558439fb35f5d16/third_party/WebKit/Source/core/page/PrintContext.cpp
,
May 13 2016
,
May 13 2016
,
May 13 2016
ClusterFuzz has detected this issue as fixed in range 393341:393401. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6526956335529984 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60c0000a8d00 Crash State: blink::PrintContext::pageNumberForElement blink::Internals::pageNumber blink::InternalsV8Internal::pageNumberMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=393341:393401 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94zGxetBVdBEeOKf2XNcOL0D_AtW-UCEbhLi_zqgr5Mr-URzQTEi8lFaM4Pr8Z2LSarwit6BOn78Bu2UTTznnJWRlZybK6iTCdEGdFDHupov9knziUX2fBdhTUTOcc0SmlFGn8Lnv6Yhjno6JLhKABIC571eQ <style media="screen"> div.noBreak { display:inline; </style> <script src="../resources/paged-media-test-utils.js"></script> <script> function test() { pageNumberForElementShouldBe('test'); } </script> <body onload="runPrintingTest(test)"> <div id="test" class="noBreak"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 13 2016
,
Jun 9 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4855714882781184 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x17220e70 Crash State: blink::PrintContext::pageNumberForElement blink::Internals::pageNumber blink::InternalsV8Internal::pageNumberMethodCallback Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=379564:379959 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95yPN0up1qCfCs56pTECOiFewEl25iEd-IMYYWle-YGv3vdYm_iUHS1rrEby76J_xkIUPqEPvdzCQI66Al1ZkoO83bbosfL6-NGUOJSlhYPxem-NpTNmnxPc0HkXnDYILNjr7HFGc6d1mzht8xdd2HhSmA3SQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 11 2016Owner: danakj@chromium.org