New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 641995 link

Starred by 1 user
Status: Fixed
Owner:
meade@chromium.org
Not working on Chrome any more
Closed: Sep 2016
Cc:
timloh@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , All
Pri: 1
Type: Bug-Security



Sign in to add a comment

value.isFunctionValue()

Project Member Reported by ClusterFuzz, Aug 29 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302873694765056

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  value.isFunctionValue()
  blink::CSSTransformComponent::fromCSSValue
  blink::CSSTransformValue::fromCSSValue
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=413791:414128

Minimized Testcase (1.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97BrxC_6VC2KPrY2lw1ydf45UduE2zEGm210DR6DsIoNY4X8yQ2LXuY4eM3zgUKvcqYJ51Td_La-mx4yFdTLTIcrGOYBV8YN7aJ2klWbCg_MuicLAx8MHSRLAIEnb8gCrmYdrrcZaGBj3Sq8MRivQs7lPKUHA?testcase_id=6302873694765056

Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by infe...@chromium.org, Aug 29 2016

Labels: -Type-Bug -Restrict-View-EditIssue Restrict-View-SecurityTeam Type-Bug-Security

Comment 2 by infe...@chromium.org, Aug 29 2016

Components: Blink>CSS
Labels: Security_Impact-Head Security_Severity-High OS-All
Owner: meade@chromium.org
Status: Assigned (was: Untriaged)
Author: meade
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3da351bc3124254baf2c705989e35d51b07fad96
Time: Wed Aug 24 04:37:15 2016
Lines 22-38, 61-72 of file StyleValueFactory.cpp which potentially caused crash are changed in this cl (frame #3, "blink::"; frame #4, "blink::StyleValueFactory::cssValueToStyleValueVector").

File InlineStylePropertyMap.cpp is changed in this cl (and is part of stack frame #5, "blink::InlineStylePropertyMap::getIterationEntries")
Minimum distance from crash line to modified line: 0. (file: StyleValueFactory.cpp, crashed on: 22, modified: 22).

Suspected Project: chromium
Suspected Component: Blink>CSS

Comment 3 by infe...@chromium.org, Aug 29 2016 

 Issue 642039  has been merged into this issue.
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 30 2016

Labels: M-54
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 30 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 1 2016

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 7 by meade@chromium.org, Sep 5 2016

Cc: timloh@chromium.org

Comment 8 by timloh@chromium.org, Sep 5 2016 

I ended up looking into the bug a bit -_-. Looks like CSSTransformValue::fromCSSValue is returning null for an unimplemented case, so StyleValueFactory::cssValueToStyleValueVector falls back to the list-handling case. So fromCSSValue is called with a CSSFunctionValue this time (which subclasses CSSValueList) and then we get 50px where we expect a function.

<div id=test style=transform:translateY(50px);></div>
<script>test.styleMap.entries();</script

Comment 9 by bustamante@chromium.org, Sep 6 2016 

Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8

Comment 10 by bustamante@chromium.org, Sep 7 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Moving to ReleaseBlock-Stable to keep track of this for M54

Comment 11 by meade@chromium.org, Sep 9 2016

Labels: Merge-Request-54
Fix is on the queue, requesting merge approval once it lands: https://codereview.chromium.org/2313523002
Project Member

Comment 13 by sheriffbot@chromium.org, Sep 9 2016

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by dimu@chromium.org, Sep 10 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 10 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 16 by bugdroid1@chromium.org, Sep 12 2016

Labels: -merge-approved-54 merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0d3411e8e492f0b0c067d519ada714986e58994f

commit 0d3411e8e492f0b0c067d519ada714986e58994f
Author: Eddy Mead <meade@chromium.org>
Date: Mon Sep 12 01:39:19 2016

Add check that the CSSValue is a valid type in CSSTransformComponent before casting.

BUG= 641995 

Review-Url: https://codereview.chromium.org/2313523002
Cr-Commit-Position: refs/heads/master@{#417535}
(cherry picked from commit 5c7a196f1f2a29d7e71b5dcf2051dbe0625d6519)

Review URL: https://codereview.chromium.org/2326423002 .

Cr-Commit-Position: refs/branch-heads/2840@{#294}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/0d3411e8e492f0b0c067d519ada714986e58994f/third_party/WebKit/LayoutTests/typedcssom/inlinestyle/transform.html
[modify] https://crrev.com/0d3411e8e492f0b0c067d519ada714986e58994f/third_party/WebKit/Source/core/css/cssom/CSSTransformComponent.cpp

Comment 17 by awhalley@chromium.org, Oct 7 2016

Labels: -ReleaseBlock-Stable
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 27 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0d3411e8e492f0b0c067d519ada714986e58994f

commit 0d3411e8e492f0b0c067d519ada714986e58994f
Author: Eddy Mead <meade@chromium.org>
Date: Mon Sep 12 01:39:19 2016

Add check that the CSSValue is a valid type in CSSTransformComponent before casting.

BUG= 641995 

Review-Url: https://codereview.chromium.org/2313523002
Cr-Commit-Position: refs/heads/master@{#417535}
(cherry picked from commit 5c7a196f1f2a29d7e71b5dcf2051dbe0625d6519)

Review URL: https://codereview.chromium.org/2326423002 .

Cr-Commit-Position: refs/branch-heads/2840@{#294}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/0d3411e8e492f0b0c067d519ada714986e58994f/third_party/WebKit/LayoutTests/typedcssom/inlinestyle/transform.html
[modify] https://crrev.com/0d3411e8e492f0b0c067d519ada714986e58994f/third_party/WebKit/Source/core/css/cssom/CSSTransformComponent.cpp
Project Member

Comment 19 by sheriffbot@chromium.org, Dec 16 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment