New issue
Advanced search Search tips

Issue 626793 link

Starred by 1 user
Status: Duplicate
Merged: issue 626182
Owner:
wangxianzhu@chromium.org
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::PaintController::updateCacheGeneration

Project Member Reported by ClusterFuzz, Jul 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6044256712261632

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x2a711eb3
Crash State:
  blink::PaintController::updateCacheGeneration
  blink::PaintController::commitNewDisplayItems
  blink::GraphicsLayer::paint
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=403894:403906

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95IJubaH1b62cLrxl_u61y6AtwG-a7BboglnKoMrhkOOJ3eAaKty7AwHu4qro1-CMQiXa-W9kaCxW4gyNQJEG7Sh6efssOvyWX561V07Hh_QuLf_inWqjZVkaF2pv4VvdjUVSoI98qyZz3k4-VTPqr62TTcyN2NLiD-wTvQyqKpjcTk8Pg?testcase_id=6044256712261632


Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by och...@chromium.org, Jul 8 2016

Owner: wangxianzhu@chromium.org
wangxianzhu, it looks like this might be similar to bug 609218. Would you mind taking a look?

Comment 2 by och...@chromium.org, Jul 8 2016

Status: Assigned (was: Available)

Comment 3 by wangxianzhu@chromium.org, Jul 8 2016

Mergedinto: 626182
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 20 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment