mustaq: Could you please take a look at this? Seems like it could potentially be related to https://chromium.googlesource.com/chromium/src/+/840adcf880f0246881f171ede42a3f0930743546

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 635570  has been merged into this issue.

Yikes! Looks like my refactoring CL dropped a check during a local rebase.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6f91db2f44e1d429f625b61e8f41016cac0c3a1

commit d6f91db2f44e1d429f625b61e8f41016cac0c3a1
Author: mustaq <mustaq@chromium.org>
Date: Wed Aug 10 18:27:35 2016

Added back a dropped event-type check.

BUG= 635571 

Review-Url: https://codereview.chromium.org/2225813004
Cr-Commit-Position: refs/heads/master@{#411086}

[modify] https://crrev.com/d6f91db2f44e1d429f625b61e8f41016cac0c3a1/third_party/WebKit/Source/core/events/EventTarget.cpp

ClusterFuzz has detected this issue as fixed in range 410916:411126.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4779268985061376

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000bfff8000
Crash State:
  blink::EventTarget::fireEventListeners
  blink::EventTarget::fireEventListeners
  blink::EventDispatcher::dispatch
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410031:410228
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=410916:411126

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95zk_vuOHnj0ajQv9mHbjMfSaJDMSsmsORso8x-_989IklDM5-WR7_1lo1Ct8M5uTe4To3SI4z61xcnGKMo83I7lxbcvO_WGJK4Oduoeh2ogI4qSh6e9eHSLNPk2emXGWFacz3hKFpRDCaVEYGDTrT0opnZjA?testcase_id=4779268985061376
<script>
function fuzz() {
  document.getElementById("listbox_option_enabled").addEventListener(
      "pointerdown", function() { try {; } catch (e) {}
 });
  e = document.createEvent("Event");
  var element = document.getElementById("listbox_option_enabled");
  e.initEvent("pointerdown");
  element.dispatchEvent(e);
}
 setTimeout(fuzz); </script>
<optgroup>
    <option id="listbox_option_enabled">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot