based on Findit result, assigning to fs@ Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?


Suspected CLs	The result is a list of CLs that change the crashed files.

Author: fs
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4acd739260230f59c08858a31e795c2dcfdc54d4
Time: Thu Feb 25 12:34:30 2016
Lines 209, 574 of file HTMLPlugInElement.cpp which potentially caused crash are changed in this cl (frame #1, "blink::HTMLPlugInElement::allowedToLoadObject"; frame #2, "blink::HTMLPlugInElement::createPluginWithoutLayoutObject").
Minimum distance from crash line to modified line: 0. (file: HTMLPlugInElement.cpp, crashed on: 574, modified: 574).

Suspected Project: chromium
Suspected Component: Blink>HTML

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/386e769dbd70b39c348bd663749858f117654408

commit 386e769dbd70b39c348bd663749858f117654408
Author: fs <fs@opera.com>
Date: Tue Jul 19 16:50:42 2016

Only flag the LayoutObject on CSP error if one is attached

When instantiating a plugin through the (somewhat special) code-path
that does not require a LayoutObject to be present, we would end up
dereferencing a null-pointer if a CSP error was flagged, failing the
plugin load sequence.

BUG= 627694 

Review-Url: https://codereview.chromium.org/2162473003
Cr-Commit-Position: refs/heads/master@{#406295}

[add] https://crrev.com/386e769dbd70b39c348bd663749858f117654408/third_party/WebKit/LayoutTests/fast/plugins/plugin-without-layout-csp-error-crash-expected.txt
[add] https://crrev.com/386e769dbd70b39c348bd663749858f117654408/third_party/WebKit/LayoutTests/fast/plugins/plugin-without-layout-csp-error-crash.html
[modify] https://crrev.com/386e769dbd70b39c348bd663749858f117654408/third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp

ClusterFuzz has detected this issue as fixed in range 406277:406306.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4574134168453120

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x0000000000c4
Crash State:
  blink::LayoutEmbeddedObject::setPluginUnavailabilityReason
  blink::HTMLPlugInElement::allowedToLoadObject
  blink::HTMLPlugInElement::createPluginWithoutLayoutObject
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=377548:377566
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=406277:406306

Minimized Testcase (0.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94tzQDHoXiT0Ntm-ktx3w_oNizWqHI1yvNFTLiPSoUTnLNiw_25vzaFOfyJ-qmSACg9VepFXty8Ge7om1EFjAqg-EACN7TdFxxDLL4G08hLCcFSW6vvgqleSZIEDngz9KvzOVZg9IKOJ5mWzq5BTyo3UkVm6Q?testcase_id=4574134168453120

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M53 (branch: 2785)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6899c4fef931853289e2a042e87c01b2aa69e88b

commit 6899c4fef931853289e2a042e87c01b2aa69e88b
Author: Fredrik Söderquist <fs@opera.com>
Date: Thu Jul 21 10:27:28 2016

Only flag the LayoutObject on CSP error if one is attached

When instantiating a plugin through the (somewhat special) code-path
that does not require a LayoutObject to be present, we would end up
dereferencing a null-pointer if a CSP error was flagged, failing the
plugin load sequence.

BUG= 627694 

Review-Url: https://codereview.chromium.org/2162473003
Cr-Commit-Position: refs/heads/master@{#406295}
(cherry picked from commit 386e769dbd70b39c348bd663749858f117654408)

Review URL: https://codereview.chromium.org/2166273002 .

Cr-Commit-Position: refs/branch-heads/2785@{#261}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/6899c4fef931853289e2a042e87c01b2aa69e88b/third_party/WebKit/LayoutTests/fast/plugins/plugin-without-layout-csp-error-crash-expected.txt
[add] https://crrev.com/6899c4fef931853289e2a042e87c01b2aa69e88b/third_party/WebKit/LayoutTests/fast/plugins/plugin-without-layout-csp-error-crash.html
[modify] https://crrev.com/6899c4fef931853289e2a042e87c01b2aa69e88b/third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot