New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 623996 link

Starred by 1 user
Status: Verified
Owner:
e...@chromium.org
Closed: Jun 2016
Cc:
wkorman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in blink::LineBoxList::deleteLineBoxes

Project Member Reported by ClusterFuzz, Jun 28 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6555433150185472

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LineBoxList::deleteLineBoxes
  blink::LayoutBlockFlow::layoutInlineChildren
  blink::LayoutBlockFlow::layoutBlockFlow
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zK-W3BggybNsKOAmqSdimld5MWK341cHoc479cCHsPyPptY8oWTTm-Opm3fsmiQr2YX2TI6ZrkkR1jFCDuB8uu7rS66fMsPVRoFe5K_rKRV7NPI36L5hnZL6ZzcMjLZSs59g0XXjf8iJWW_OILjKtlt3NUGcL5e2cULyNdqQjRiqNr4Q?testcase_id=6555433150185472


Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by palmer@chromium.org, Jun 28 2016

Cc: e...@chromium.org wkorman@chromium.org
Labels: M-53 OS-Android OS-Chrome OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Available)

Comment 2 by dsinclair@chromium.org, Jun 28 2016

Cc: -e...@chromium.org
Owner: e...@chromium.org

Comment 3 by palmer@chromium.org, Jun 28 2016

Components: Blink>Layout
Project Member

Comment 4 by ClusterFuzz, Jun 29 2016 

ClusterFuzz has detected this issue as fixed in range 402316:402437.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6555433150185472

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LineBoxList::deleteLineBoxes
  blink::LayoutBlockFlow::layoutInlineChildren
  blink::LayoutBlockFlow::layoutBlockFlow
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=402316:402437

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zK-W3BggybNsKOAmqSdimld5MWK341cHoc479cCHsPyPptY8oWTTm-Opm3fsmiQr2YX2TI6ZrkkR1jFCDuB8uu7rS66fMsPVRoFe5K_rKRV7NPI36L5hnZL6ZzcMjLZSs59g0XXjf8iJWW_OILjKtlt3NUGcL5e2cULyNdqQjRiqNr4Q?testcase_id=6555433150185472


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jun 29 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Jun 29 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment