Issue 636453 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Aug 2016
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	----
Type:	Bug-Security
Reproducible Stability-Memory-AddressSanitizer Security_Impact-None Security_Severity-High allpublic Clusterfuzz

Heap-use-after-free in blink::CharacterData::setDataAndUpdate

Project Member Reported by ClusterFuzz, Aug 10 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5409788823601152

Fuzzer: bj_broddelwerk
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x05817380
Crash State:
  blink::CharacterData::setDataAndUpdate
  blink::CharacterData::deleteData
  blink::Range::processContentsBetweenOffsets
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=410785:410916

Minimized Testcase (0.95 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv945iHM_R8YVp4yOIQ9QogIY3skAgXRDgsLd-s6j0MZ4vX9G99WJHG_i0O5-hOXCvYC91qXOL0YEB3fe9xbIj4M4gRikaaN6Wb93oE_lFLrm-ufuYMFeUQFjvBuyJW0oTWCwbmrnBo4ukxjFv1ZsA3ajCkgheg?testcase_id=5409788823601152
<style>
.CLASS1{-webkit-line-box-contain:glyphs;word-break:break-all;}
.CLASS5{box-pack:start;max-width:95vh !important;</style>
<script>
function event_handler_64_DOMNodeInsertedIntoDocument() {
    var oParentElement = ({
  })();
    var oInsertedElement = ({
  })();
}
function event_handler_66_DOMContentLoaded() {
    var oParent = (function(){
    var aoElements = document.getElementsByTagName("*");
    if (aoElements.length) return aoElements[32 % aoElements.length];
  })();
  var oSelection=window.getSelection();
  document.execCommand("SelectAll")
  var oRange = oSelection.rangeCount ? oSelection.getRangeAt(71 % oSelection.rangeCount) : null;
oRange.deleteContents()
}
document.addEventListener("DOMContentLoaded", event_handler_66_DOMContentLoaded);
  </script>
<body class="CLASS5"nl">
<abbr class="CLASS1">
<button>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AxBxC
<button>
AxBxC AxBxC
</button>


Issue manually filed by: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by och...@chromium.org, Aug 10 2016

Labels: Security_Impact-None

None of these seem to be reproducible in any other configuration, so these may be bogus. Security_Impact-None until we figure this out.

Comment 2 by infe...@chromium.org, Aug 24 2016

Status: WontFix (was: Untriaged)

These were all false positives, fixed with latest win asan builds.

Project Member

Comment 3 by sheriffbot@chromium.org, Nov 30 2016

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 636453 link

Issue metadata

Heap-use-after-free in blink::CharacterData::setDataAndUpdate

Issue description

Comment 1 by och...@chromium.org, Aug 10 2016

Comment 1 Deleted

Comment 2 by infe...@chromium.org, Aug 24 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Nov 30 2016

Comment 3 Deleted

Sign in to add a comment