New issue
Advanced search Search tips

Issue 628113 link

Starred by 1 user
Status: Fixed
Owner:
dgro...@chromium.org
Closed: Jul 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in blink::LayoutObject::setPreferredLogicalWidthsDirty

Project Member Reported by ClusterFuzz, Jul 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5331402921082880

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutObject::setPreferredLogicalWidthsDirty
  blink::LayoutTableSection::styleDidChange
  blink::LayoutObject::setStyle
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404947:405052

Minimized Testcase (1.90 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95c8K65RsJ9lm7-ECdJ5htOwOxL62Oc_rhDY4SO2L8WZAQJ5SYMRm7Rz9f_JisbJmlo2PSrBoArxsjM5he_0FBRvr8hF_3WDam6ORd0O7UIkumHMFrdSHNczk_KyOwkLE8Dm8yR0uqZX5msCi1uQ7nVu3dANA?testcase_id=5331402921082880

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Jul 14 2016

Components: Blink>Layout
Labels: Pri-2
Owner: e...@chromium.org
eae@, may I ask you please to help to find an owner?
Project Member

Comment 2 by ClusterFuzz, Jul 14 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6304301765099520

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutTableSection::styleDidChange
  blink::LayoutObject::setStyle
  blink::Element::recalcOwnStyle
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404947:405052

Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jypRSiELTuaNq1JidgW_jRbVbw_-JxPyp8bKXcFNsswJx4BpCmKS2QgStQCJak6M5h1B_yiQ_29XhG6hDQk7LLeMEmoSE0fyBgPBDwLgU1ARBrIJ2s3bg02R4EIDkSKKyJl1a-CzLFTiUwXi15pWAiYs64A?testcase_id=6304301765099520

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 14 2016

Labels: -Pri-2 Pri-1
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 14 2016

Status: Assigned (was: Available)

Comment 5 by e...@chromium.org, Jul 14 2016

Owner: dgro...@chromium.org
Looks like fallout from one of your table changes dgrogan :(


https://chromium.googlesource.com/chromium/src/+/596c28c4ab1759719fe00b8319571fba398f48e1

Comment 6 by dgro...@chromium.org, Jul 15 2016 

I suspect this is fixed by the issue 627839 patch. I'll let clusterfuzz recheck it.
Project Member

Comment 7 by ClusterFuzz, Jul 15 2016 

ClusterFuzz has detected this issue as fixed in range 405500:405563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6304301765099520

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutTableSection::styleDidChange
  blink::LayoutObject::setStyle
  blink::Element::recalcOwnStyle
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404947:405052
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=405500:405563

Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jypRSiELTuaNq1JidgW_jRbVbw_-JxPyp8bKXcFNsswJx4BpCmKS2QgStQCJak6M5h1B_yiQ_29XhG6hDQk7LLeMEmoSE0fyBgPBDwLgU1ARBrIJ2s3bg02R4EIDkSKKyJl1a-CzLFTiUwXi15pWAiYs64A?testcase_id=6304301765099520

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by dgro...@chromium.org, Jul 15 2016

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Jul 15 2016 

ClusterFuzz has detected this issue as fixed in range 405500:405563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5331402921082880

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutObject::setPreferredLogicalWidthsDirty
  blink::LayoutTableSection::styleDidChange
  blink::LayoutObject::setStyle
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404947:405052
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=405500:405563

Minimized Testcase (1.90 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95c8K65RsJ9lm7-ECdJ5htOwOxL62Oc_rhDY4SO2L8WZAQJ5SYMRm7Rz9f_JisbJmlo2PSrBoArxsjM5he_0FBRvr8hF_3WDam6ORd0O7UIkumHMFrdSHNczk_KyOwkLE8Dm8yR0uqZX5msCi1uQ7nVu3dANA?testcase_id=5331402921082880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 21 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment