New issue
Advanced search Search tips

Issue 642064 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 632848
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to blink::LayoutBox from blink::LayoutText;blink::LayoutBox::nextSiblingBox;blink::LayoutBlockFlow::layoutBlockChildren

Project Member Reported by ClusterFuzz, Aug 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853581708787712

Fuzzer: attekett_surku_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bb1c042c090
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutText
  blink::LayoutBox::nextSiblingBox
  blink::LayoutBlockFlow::layoutBlockChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=396810:396849

Minimized Testcase (0.75 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rj5FIBVpDWL42_68660q1hB4wfIyrpNdKlGYMycqji6Qvf2dmqTVpAiAdqnRB6P29M9iYahS3Po5WJgHIrui_KpD1A1u5vWljqHBbtq3fGG2BcfIY1VI304J7i-MWauMLH2IEN_lwQuQ-jGDeSKYWfrlaXA?testcase_id=4853581708787712
<span id='c2'></span>
<script>

        var callback;
        var fullscreenChanged = function(event)
        {
                callback()
        };
        document.addEventListener('webkitfullscreenchange', fullscreenChanged);

        var span = document.getElementById('c2');
        var div = span.parentNode;
        var spanEnteredFullScreen = function() {
            setTimeout(function () {
                span.appendChild(document.createElement('div'));

window.layoutTestController
;
                
                document.webkitCancelFullScreen();
            }, 0);
        };

        callback = spanEnteredFullScreen;
        document.addEventListener('keydown', function () {
            span.webkitRequestFullScreen();
        });
    </script>



Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: e...@chromium.org
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Dan, can you please take a look.
Components: Blink>Layout
Cc: -e...@chromium.org
Owner: e...@chromium.org
eae@ to triage for layout-dev.
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 30 2016

Labels: M-53
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 30 2016

Labels: ReleaseBlock-Stable
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 30 2016

Labels: Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, Aug 31 2016

Labels: M-53

Comment 8 by gov...@chromium.org, Aug 31 2016

Cc: awhalley@chromium.org
+awhalley@
We're cutting an M53 RC today, I don't believe this is warrants blocking that.
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 1 2016

Labels: -Security_Impact-Beta Security_Impact-Stable
This bug is marked as M53 Stable blocker. Fix has to be landed/baked/verified in Canary and merge to M53 branch 2785 latest by 3:00 PM Tuesday (09/06/16) in order to make into next week Stable build cut (sooner the better if possible).
Labels: -ReleaseBlock-Stable
Project Member

Comment 13 by ClusterFuzz, Sep 7 2016

ClusterFuzz has detected this issue as fixed in range 416613:416628.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853581708787712

Fuzzer: attekett_surku_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bb1c042c090
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutText
  blink::LayoutBox::nextSiblingBox
  blink::LayoutBlockFlow::layoutBlockChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=396810:396849
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=416613:416628

Minimized Testcase (0.75 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rj5FIBVpDWL42_68660q1hB4wfIyrpNdKlGYMycqji6Qvf2dmqTVpAiAdqnRB6P29M9iYahS3Po5WJgHIrui_KpD1A1u5vWljqHBbtq3fGG2BcfIY1VI304J7i-MWauMLH2IEN_lwQuQ-jGDeSKYWfrlaXA?testcase_id=4853581708787712
<span id='c2'></span>
<script>

        var callback;
        var fullscreenChanged = function(event)
        {
                callback()
        };
        document.addEventListener('webkitfullscreenchange', fullscreenChanged);

        var span = document.getElementById('c2');
        var div = span.parentNode;
        var spanEnteredFullScreen = function() {
            setTimeout(function () {
                span.appendChild(document.createElement('div'));

window.layoutTestController
;
                
                document.webkitCancelFullScreen();
            }, 0);
        };

        callback = spanEnteredFullScreen;
        document.addEventListener('keydown', function () {
            span.webkitRequestFullScreen();
        });
    </script>



Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Sep 7 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 7 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 16 by sheriffbot@chromium.org, Sep 9 2016

Labels: Merge-Request-54

Comment 17 by dimu@chromium.org, Sep 10 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 13 2016

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by sheriffbot@chromium.org, Sep 17 2016

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by ClusterFuzz, Oct 7 2016

ClusterFuzz has detected this issue as fixed in range 416613:416628.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853581708787712

Fuzzer: attekett_surku_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bb1c042c090
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutText
  blink::LayoutBox::nextSiblingBox
  blink::LayoutBlockFlow::layoutBlockChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=396810:396849
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=416613:416628

Minimized Testcase (0.75 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rj5FIBVpDWL42_68660q1hB4wfIyrpNdKlGYMycqji6Qvf2dmqTVpAiAdqnRB6P29M9iYahS3Po5WJgHIrui_KpD1A1u5vWljqHBbtq3fGG2BcfIY1VI304J7i-MWauMLH2IEN_lwQuQ-jGDeSKYWfrlaXA?testcase_id=4853581708787712
<span id='c2'></span>
<script>

        var callback;
        var fullscreenChanged = function(event)
        {
                callback()
        };
        document.addEventListener('webkitfullscreenchange', fullscreenChanged);

        var span = document.getElementById('c2');
        var div = span.parentNode;
        var spanEnteredFullScreen = function() {
            setTimeout(function () {
                span.appendChild(document.createElement('div'));

window.layoutTestController
;
                
                document.webkitCancelFullScreen();
            }, 0);
        };

        callback = spanEnteredFullScreen;
        document.addEventListener('keydown', function () {
            span.webkitRequestFullScreen();
        });
    </script>



Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Mergedinto: 632848
Status: Duplicate (was: Verified)
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 13 2016

Labels: -reward-topanel reward-ineligible

Comment 23 by e...@chromium.org, Dec 13 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-54
No merge needed.
Project Member

Comment 24 by sheriffbot@chromium.org, Dec 15 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment