eae@, could you please help to find an owner for that?

eae: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I've tried to do some investigation. Since there is UaF while accessing:
|m_start| member of |LayoutTextFragment|, it looks like |~LayoutTextFragment()| had been previously executed. But the object wasn't fully deallocated. Otherwise shouldn't we detect UaF earlier when accessing some members of a parent class |LayoutText|?

Is it possible or am I totally wrong?

Also I cannot reproduce the issue locally... I could suppose a race condition, but everything happens in one thread (looking into the log).

ClusterFuzz has detected this issue as fixed in range 391535:391649.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6197335041769472

Fuzzer: marty_html_twiddler
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x60f00008f4f8
Crash State:
  blink::LayoutTextFragment::setTextFragment
  blink::FirstLetterPseudoElement::detach
  blink::PseudoElement::dispose
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=384460:384473
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=391535:391649

Minimized Testcase (2.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zr4y6jFm6segoLIFxxq3RKx8Et6djwJmcobB_Ecbv7PULVKMZ8sJP2TCRyW3Z2YxUprYFmCQkIp87-k5i9XSsmkUj-DzEUbW1K0_0dWm6kK_G2iqkbXsc8L5VZD5EI1WpVqjR30BJwBIfdQjLIA9RLWABeg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

As per #7, marking this Fixed. Probably it is an unrelated fix.

ClusterFuzz has detected this issue as fixed in range 395074:395128.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6197335041769472

Fuzzer: marty_html_twiddler
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x60f00008f4f8
Crash State:
  blink::LayoutTextFragment::setTextFragment
  blink::FirstLetterPseudoElement::detach
  blink::PseudoElement::dispose
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=384460:384473
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=395074:395128

Minimized Testcase (2.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zr4y6jFm6segoLIFxxq3RKx8Et6djwJmcobB_Ecbv7PULVKMZ8sJP2TCRyW3Z2YxUprYFmCQkIp87-k5i9XSsmkUj-DzEUbW1K0_0dWm6kK_G2iqkbXsc8L5VZD5EI1WpVqjR30BJwBIfdQjLIA9RLWABeg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot