tzik, do you think you could help find an owner for this bug? Thanks!

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

hiroshige: This is another case of confusing lifetime management around WTF::bind. Maybe we should disallow Member as a bound arg. When a Member<> is bound to a WTF::Function, it doesn't retain the ownership and causes UAF.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e7d195955d69a096ba28bcb4be85df1d64ffa2a8

commit e7d195955d69a096ba28bcb4be85df1d64ffa2a8
Author: tzik <tzik@chromium.org>
Date: Tue Jun 21 18:42:43 2016

Retain strong reference of BlobCallback in CanvasAsyncBlobCreator

CanvasAsyncBlobCreator holds a BlobCallback and runs it asynchronously.
However, it can be destroyed before the callback invocation, and the
callback doesn't retain its ownership while it's in the task queue.

This CL makes the bound task to retain the shared ownership of
BlobCallback.

BUG= 621547 

Review-Url: https://codereview.chromium.org/2081873003
Cr-Commit-Position: refs/heads/master@{#401052}

[modify] https://crrev.com/e7d195955d69a096ba28bcb4be85df1d64ffa2a8/third_party/WebKit/Source/core/html/canvas/CanvasAsyncBlobCreator.cpp

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 401020:401085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6569452565168128

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bf239fd4800
Crash State:
  Bad-cast to blink::BlobCallback from invalid vptr
  void WTF::PartBoundFunctionImpl<
  base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=399438:399445
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=401020:401085

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ilCsbwbvTKFqwBFRw5dUF4GlURF70BSFn8Hm_QrR7NcIpPnVtNbonKzMJGXinJYrMHzXCkwPS5OsZ-KUoo00FqirvgmFBO7FtfmZgeEBi3-yflUOz0wSq__h5nxTm8ACYtQCAD3BJfUPh_FQEbxZ4nnveOGODuBQpMiH0aaW4HDhYEpQ?testcase_id=6569452565168128


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Renaming Blink>WTF to Blink>Internals>WTF.

Marked as fixed in M53, removing ReleaseBlock-Beta.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot