New issue
Advanced search Search tips

Issue 638185 link

Starred by 1 user
Status: Verified
Owner:
chrishtr@chromium.org
Closed: Aug 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocking:
issue 638219



Sign in to add a comment

Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern;blink::PaintInvalidationState::updateForNormalChildren;blink::PaintInvalidationState::updateForChildren

Project Member Reported by ClusterFuzz, Aug 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5246295986143232

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x3a1ca9e84000
Crash State:
  Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern
  blink::PaintInvalidationState::updateForNormalChildren
  blink::PaintInvalidationState::updateForChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=411529:411868

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96eOXOj4RMtPbxtPFGflXEaQyIPhuOBmubNOX79ilidfFn268TXIqfzj3gSPq7iZaGag6ya7lkoO9Y3ndXh7vPYQljHDCOdalG6nxh6SYNSd3V6lTRFVcHn0ZDbxz7Sor1Bjyr5P_GkB23GqfbQmpFA_9xG93JSW6sMlxGa2_fsrDO6dUY?testcase_id=5246295986143232


Additional requirements: Requires Gestures

Issue manually filed by: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Aug 16 2016

Components: Blink>Layout
Labels: Pri-2
Owner: chrishtr@chromium.org
chrishtr@, looks like your recent change introduced the issue:

The result is a list of CLs that change the crashed files.

Author: chrishtr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3d30a67e378ec3fcaac5809305584bbabca88e18
Time: Sat Aug 13 01:17:59 2016
Lines 314 of file PaintInvalidationState.cpp which potentially caused crash are changed in this cl (frame #1, "blink::PaintInvalidationState::updateForNormalChildren").

File LayoutBox.cpp is changed in this cl (and is part of stack frame #5, "blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded")
Minimum distance from crash line to modified line: 0. (file: PaintInvalidationState.cpp, crashed on: 314, modified: 314).
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 16 2016

Labels: M-54
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 16 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 16 2016

Labels: -Pri-2 Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 16 2016

Status: Assigned (was: Untriaged)

Comment 6 by mmoroz@chromium.org, Aug 16 2016

Blocking: 638219

Comment 7 by mmoroz@chromium.org, Aug 16 2016 

 Issue 638221  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Aug 17 2016 

ClusterFuzz has detected this issue as fixed in range 412308:412331.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5246295986143232

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x3a1ca9e84000
Crash State:
  Bad-cast to const blink::LayoutBox from blink::LayoutSVGResourcePattern
  blink::PaintInvalidationState::updateForNormalChildren
  blink::PaintInvalidationState::updateForChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=411529:411868
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=412308:412331

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96eOXOj4RMtPbxtPFGflXEaQyIPhuOBmubNOX79ilidfFn268TXIqfzj3gSPq7iZaGag6ya7lkoO9Y3ndXh7vPYQljHDCOdalG6nxh6SYNSd3V6lTRFVcHn0ZDbxz7Sor1Bjyr5P_GkB23GqfbQmpFA_9xG93JSW6sMlxGa2_fsrDO6dUY?testcase_id=5246295986143232


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 17 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Aug 17 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 23 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment