New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 631368 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Not working on Chrome any more
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in blink::getPropertyNameString

Project Member Reported by ClusterFuzz, Jul 26 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4892616789590016

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000397
Crash State:
  blink::getPropertyNameString
  blink::InlineStylePropertyMap::getProperties
  blink::StylePropertyMapV8Internal::getPropertiesMethod
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=407460:407477

Minimized Testcase (2.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96D1B6rrWAfFCLBWoa6JBuLxVEMIR7tdWnXw69LyMxjkmrXrNbxxqfgOheSMglfomB3Qp3W3HQANaNY7QkAyH6KlmKl5S4XA3u2HHeb1ET5RNuId6HaSw-3M59X5BSzNWB8PUDLi-jX6ct7k6Km64G9wpBXMA?testcase_id=4892616789590016

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Tools>Test>FindIt>WrongResult
Labels: -Pri-1 -Type-Bug M-54 findit-wrong Te-Logged Pri-2 Type-Bug-Regression
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)
Based on the Code Search for the file - StringImpl.h

Suspecting Commit - a5673d69964d773f0111e2e6a600ac180587c2f6

Review URL - https://codereview.chromium.org/2146163003

@esprehn: Could you please look into this issue.

Thank you.
Cc: esprehn@chromium.org
Components: Blink>CSS
Owner: meade@chromium.org
Looks like a style bug?
 Issue 634410  has been merged into this issue.

Comment 4 by aarya@google.com, Aug 10 2016

Labels: -Restrict-View-EditIssue -Type-Bug-Regression Restrict-View-SecurityTeam Type-Bug-Security
634410 is a security bug, adding flags.
This looks like a nullptr crash to me? Crash Address: 0x00000397

Comment 6 by aarya@google.com, Aug 10 2016

Cc: timloh@chromium.org
See repro in https://bugs.chromium.org/p/chromium/issues/detail?id=634410. Maybe the duplication is wrong, but stack looked similar to timloh@.
Labels: -Pri-2 Pri-1
Ouch that's pretty bad, needs to be fixed faster than a P2 then. Also that crazy CF test case probably needs to be reduced.

timloh@, meade@ would one of you take this on? :)

Comment 8 by timloh@chromium.org, Aug 10 2016

meade@ has a patch up: https://codereview.chromium.org/2227503002/

Comment 9 by och...@chromium.org, Aug 10 2016

Labels: Security_Impact-Head Security_Severity-Medium

Comment 10 by meade@chromium.org, Aug 10 2016

Status: Started (was: Assigned)
Yep, on the commit queue now :)
Project Member

Comment 12 by sheriffbot@chromium.org, Aug 10 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by ClusterFuzz, Aug 10 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 11 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 15 by sheriffbot@chromium.org, Nov 17 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment