CharacterData::setData() should handle first-letter correctly |
||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5964821900296192 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x61d2000f647e Crash State: blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > b blink::endOfSentence blink::SelectionModifier::modifyExtendingForward Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=375259:376290 Minimized Testcase (4.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lt3aIcd1aOaw4eVZt4I90BPtei04W0TOj6BvvJbw3a2ncrO__0dX8Djbl9UnBTDXgQZjYArSwkAWM7UHDCK2UDJPhhz7ORrj2qwQwn9vp5_vIs-PXcm3nxsZXULDDqqGHhsQ2Y16i46c9WnCWwzf3An75sA Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
,
Jun 13 2016
,
Jun 26 2016
yosin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 27 2016
,
Jun 28 2016
,
Jun 29 2016
Lower to Pri-2, since this DCHECK() isn't harmful. The root cause is pseudo:first-letter element is created for non-first letter content DOM tree at DCHECK(): position.showTreeForThis() BODY 000001AAF3EC3338 DIV 000001AAF3EC33A0 <pseudo:first-letter> 000001AAF3EC6748 #text 000001AAF3EC3408 "\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA a\n" svg 000001AAF3EC3458 #text 000001AAF3EC35B0 "\n" animate 000001AAF3EC3600 #text 000001AAF3EC3868 "\n" filter 000001AAF3EC38B8 CLASS="CLASS12" #text 000001AAF3EC39C8 "\n" feComponentTransfer 000001AAF3EC3A18 CLASS="CLASS2" #text 000001AAF3EC3AF8 "\n" feComposite 000001AAF3EC3B48 #text 000001AAF3EC3C58 "\n" title 000001AAF3EC3CA8 #text 000001AAF3EC3D60 "\n" #text 000001AAF3EC3DB0 "\n" #text 000001AAF3EC4410 "\n" DIV 000001AAF3EC4460 #text 000001AAF3EC44C8 "\n" RUBY 000001AAF3EC4518 CLASS="CLASS4" #text 000001AAF3EC4580 "\n" RB 000001AAF3EC45D0 CLASS="CLASS6 CLASS3" #text 000001AAF3EC4638 "\n" RT 000001AAF3EC4688 #text 000001AAF3EC46F0 "\n" INPUT 000001AAF3EC4740 #shadow-root 000001AAF3EC4848 DIV 000001AAF3EC4918 ID="inner-editor" (editable) #text 000001AAF3EC4980 "\n" svg 000001AAF3EC49D0 #text 000001AAF3EC4B28 "\n" I 000001AAF3EC4B78 CLASS="CLASS12 CLASS0" #text 000001AAF3EC4BE0 "\n" svg 000001AAF3EC4C30 #text 000001AAF3EC4D88 "\n" svg 000001AAF3EC4DD8 #text 000001AAF3EC4F30 "\n\n" #text 000001AAF3EC6348 "\n" #text 000001AAF3EC6398 "\nB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n" #text 000001AAF3EC63E8 "\n" FORM 000001AAF3EC6438 #text 000001AAF3EC6500 "\n" #text 000001AAF3EC6550 "\n" PRE 000001AAF3EC65A0 <pseudo:first-letter> 000001AAF3EC66D0 #text 000001AAF3EC6608 "b" H2 000001AAF3EC3E00 <pseudo:first-letter> 000001AAF3EC7630 * #text 000001AAF3EC3E68 "\n" BDO 000001AAF3EC3EB8 #text 000001AAF3EC3F20 "\nb\n" RUBY 000001AAF3EC3F70 #text 000001AAF3EC3FD8 "\n" RB 000001AAF3EC4028 #text 000001AAF3EC4090 "\n" BIG 000001AAF3EC40E0 #text 000001AAF3EC4148 "\nAxBxC\n" RUBY 000001AAF3EC4198 #text 000001AAF3EC4200 "\n" RBC 000001AAF3EC4250 #text 000001AAF3EC42B8 "\n" RB 000001AAF3EC4308 CLASS="CLASS10" #text 000001AAF3EC4370 "\n" #text 000001AAF3EC43C0 "\n" #text 000001AAF3EC75E0 "" RBC 000001AAF3EC5138 CLASS="CLASS2" RUBY 000001AAF3EC5080 input 000001AAF3EC4F80 CLASS="CLASS14 CLASS9" #text 000001AAF3EC6818 "\n" <void>
,
Jun 29 2016
The root cause is CharacterData::setData() which doesn't update first letter pseudo element related layout object correctly, as similar to issue 588548 .
,
Jun 29 2016
In review: http://crrev.com/2109073002
,
Jun 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1823f9957dd146fd14cec6ec8c549364fbc4fbfd commit 1823f9957dd146fd14cec6ec8c549364fbc4fbfd Author: yosin <yosin@chromium.org> Date: Wed Jun 29 11:09:46 2016 Make Text::updateLayoutTextObject() to update first-letter pseudo element related layout tree correctly This patch makes |Text::updateTextLayoutObject()| to reattach layout object for |Text| node when it is part of first-letter when contents of |Text| node is changed. Before this patch, we change |LayoutTextFragment| directly and leaves original first letter part event if |Text| node no more to serve first-letter part, e.g. change to "a" (first-letter part), to " " (a space isn't first-letter part). This patch covers more cases than crrev.com/380116, which covers text change to make no first-letter pseudo element. BUG= 619379 TEST=webkit_unit_tests --gtest_filter=TextTest.SetDataToChangeFirstLetterTextNode Review-Url: https://codereview.chromium.org/2109073002 Cr-Commit-Position: refs/heads/master@{#402775} [modify] https://crrev.com/1823f9957dd146fd14cec6ec8c549364fbc4fbfd/third_party/WebKit/Source/core/dom/Text.cpp [modify] https://crrev.com/1823f9957dd146fd14cec6ec8c549364fbc4fbfd/third_party/WebKit/Source/core/dom/TextTest.cpp
,
Jun 30 2016
,
Jun 30 2016
ClusterFuzz has detected this issue as fixed in range 402770:402790. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5964821900296192 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x61d2000f647e Crash State: blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > b blink::endOfSentence blink::SelectionModifier::modifyExtendingForward Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=375259:376290 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=402770:402790 Minimized Testcase (4.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95lt3aIcd1aOaw4eVZt4I90BPtei04W0TOj6BvvJbw3a2ncrO__0dX8Djbl9UnBTDXgQZjYArSwkAWM7UHDCK2UDJPhhz7ORrj2qwQwn9vp5_vIs-PXcm3nxsZXULDDqqGHhsQ2Y16i46c9WnCWwzf3An75sA?testcase_id=5964821900296192 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 30 2016
,
Jul 19 2016
,
Aug 10 2016
,
Aug 10 2016
[Automated comment] Commit may have occurred before M53 branch point (6/30/2016), needs manual review.
,
Aug 10 2016
Cl listed at #10 is already in M53 - Cr-Commit-Position: refs/heads/master@{#402775}. M53 was branched at #403382. so doesn't seem like M53 merge is needed here. awhalley@, could you PTAL and remove "Merge-Review-53" label if no merge is needed. Thank you.
,
Aug 10 2016
Yep, missed that - sorry!
,
Sep 14 2016
,
Oct 6 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 12 2016
,
Apr 25 2018
|
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 12 2016Components: Blink>Editing
Owner: yosin@chromium.org
Status: Assigned (was: Available)