Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::HTMLElement::offsetLeftForBinding |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6748461831815168 Fuzzer: mbarbella_js_mutation_layout Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x29de51bb Crash State: blink::HTMLElement::offsetLeftForBinding blink::HTMLElementV8Internal::offsetLeftAttributeGetter v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=403408:403412 Minimized Testcase (0.38 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94g17glsYpWYXDjtxaC-rpo-iRUnRVwQTVprX1_7x56hMd0G5Mh8kjxN6stviv9_l4j6KAv_iyO2ajU44QqKCD7AAmQ8D4nRX143B3E8UoerR0mpsRbSsva_eMur3dy1oEk6TPll9EDpIUzI1Z1uwz030qdDw?testcase_id=6748461831815168 <script> function __f_0() { var __v_1 = document.getElementById("test"); var __v_2 = __v_1.offsetLeft + __v_1.offsetWidth - 8; } </script> <style> div { position: absolute; } #test { -webkit-filter: opacity(0) url(#f); </style> <div id="test"> <svg> <filter id="f"> <script> testLosingRendererOnClick = __f_0; testLosingRendererOnClick(); </script> Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 7 2016
,
Oct 14 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by calamity@chromium.org
, Jul 7 2016Components: Blink>CSS