Issue metadata
Sign in to add a comment
|
Crash in blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5723385007177728 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0052b673 Crash State: blink::ComputeFloatOffsetForFloatLayoutAdapter<2>::heightRemaining blink::FloatingObjects::logicalLeftOffsetForPositioningFloat blink::LayoutBlockFlow::computeLogicalLocationForFloat Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=403437:403457 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97HqOT98Z51QaySV-1Gxaq_WLY5Ghcp2OTdXqbCxHEHdCcT3pIItmN3gjlWSwyRPTZp2PXsiHEtVY-llmb-MB3K9u1CaNDr0pNOBWYQJCIcXTS4xTMa5E5LSPrSnYNilFLHLjYogSpIqHexDVFM2BR5CCLnCJvwgx3swaNwA0ekmIqc0ns?testcase_id=5723385007177728 Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 11 2016
,
Jul 11 2016
,
Jul 12 2016
,
Jul 13 2016
,
Jul 13 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 13 2016
The only Blink change in the regression range is c825d655f6aaf73484f9d56e9012793f5b9668cc which has an SVG change. Test case uses SVG so it's the likely culprit.
,
Jul 13 2016
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8583ce1a114e429f617e4ab8eda196ca42a78386 commit 8583ce1a114e429f617e4ab8eda196ca42a78386 Author: eae <eae@chromium.org> Date: Wed Jul 13 20:16:42 2016 Revert "SVGLength.value setter should set the value to <number>" This reverts r403440 (commit c825d655f6aaf73484f9d56e9012793f5b9668cc), as it caused a security regression. BUG= 626790 TBR=shanmuga.m@samsung.com Review-Url: https://codereview.chromium.org/2147003002 Cr-Commit-Position: refs/heads/master@{#405264} [delete] https://crrev.com/c266ae372af8fff6fc0ef7255edab5e6d5453bd4/third_party/WebKit/LayoutTests/svg/dom/SVGLength-value-setter.html [modify] https://crrev.com/8583ce1a114e429f617e4ab8eda196ca42a78386/third_party/WebKit/Source/core/svg/SVGLength.cpp [modify] https://crrev.com/8583ce1a114e429f617e4ab8eda196ca42a78386/third_party/WebKit/Source/core/svg/SVGLength.h [modify] https://crrev.com/8583ce1a114e429f617e4ab8eda196ca42a78386/third_party/WebKit/Source/core/svg/SVGLengthTearOff.cpp
,
Jul 13 2016
,
Jul 14 2016
@eae, Could you please share the TC , if possible. I am not sure, how the reverted patch causing the crash!!
,
Jul 14 2016
,
Jul 26 2016
This regressed in M-54, not M-53.
,
Sep 20 2016
Changing ownership, to access the testcase for a bug
,
Sep 20 2016
,
Oct 20 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 9 2016