Crash in blink::Frame::page |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5226869037465600 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000028 Crash State: blink::Frame::page blink::Internals::setFocused blink::InternalsV8Internal::setFocusedMethodCallback Minimized Testcase (0.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VMVEgXcAlCETBYtF8om-Cl0_qOu7hNqrEtd_6ABnFyANIoB67nDgxuyN1F5PVvau2NSYgP4f95wGVDd64sWMGdhlW4p5HyODv4fsJ1A9Y_Eoha9Qg4d7td_jqWs4TiVlDvDI369PfVOu3HJb8hYqTBMQcuw?testcase_id=5226869037465600 Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 30 2016
,
Jun 30 2016
Thanks, I didn't have time to work on this. I think we just need to insert a null check for frame()->page().
,
Jul 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7cbd7fb7916064d9a72b099c7ea6d1d5c9e769a1 commit 7cbd7fb7916064d9a72b099c7ea6d1d5c9e769a1 Author: sigbjornf <sigbjornf@opera.com> Date: Fri Jul 01 07:23:47 2016 Robustify Internals entry points against detached uses. Fuzzers generate pointless overhead using these test-only methods from frame-detached contexts. Add required nullchecks throughout. Simple test case for each of these entry points (w/ --run-layout-test): <a href="javascript:'replaced'" id=anchor>click</a> <script> anchor.click(); internals.someMethod(); console.log('no crash'); </script> R= BUG= 624549 Review-Url: https://codereview.chromium.org/2109613007 Cr-Commit-Position: refs/heads/master@{#403421} [modify] https://crrev.com/7cbd7fb7916064d9a72b099c7ea6d1d5c9e769a1/third_party/WebKit/Source/core/testing/Internals.cpp
,
Jul 1 2016
,
Jul 1 2016
ClusterFuzz has detected this issue as fixed in range 403412:403423. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5226869037465600 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000028 Crash State: blink::Frame::page blink::Internals::setFocused blink::InternalsV8Internal::setFocusedMethodCallback Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=403412:403423 Minimized Testcase (0.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VMVEgXcAlCETBYtF8om-Cl0_qOu7hNqrEtd_6ABnFyANIoB67nDgxuyN1F5PVvau2NSYgP4f95wGVDd64sWMGdhlW4p5HyODv4fsJ1A9Y_Eoha9Qg4d7td_jqWs4TiVlDvDI369PfVOu3HJb8hYqTBMQcuw?testcase_id=5226869037465600 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmohammad@chromium.org
, Jun 29 2016Owner: haraken@chromium.org
Status: Assigned (was: Available)