Bad-cast to blink::HTMLInputElement from blink::HTMLUnknownElement;blink::Internals::setValueForUser;blink::InternalsV8Internal::setValueForUserMethodCallback |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5454903453679616 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x1489d8f63278 Crash State: Bad-cast to blink::HTMLInputElement from blink::HTMLUnknownElement blink::Internals::setValueForUser blink::InternalsV8Internal::setValueForUserMethodCallback Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=370022:370027 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96vEtq_XcRtowOXWQREHpXu4TzDdjNovkiuILBZdcZBBT7PDtKY2Aj1FjU3xg-Jdh4F9_cOGRcC5ejxhYQQr2h8zKs4p-ZOw_u_pO99ggOi9lwne2RGpOFmYtsdc4MSg6dgPaFev6QR_xGOQYi92-3UUq0UnA?testcase_id=5454903453679616 <script> function test() { internals.setValueForUser(tf, 'Hello!'); } </script> <body onload="test()"> <animateMotion id="tf"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 29 2016
> Looks like a windows.internals api issue Right. Not a production issue, but we should fix it.
,
Nov 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/827f68d2c9eda095e2f5876b846868efe4535c58 commit 827f68d2c9eda095e2f5876b846868efe4535c58 Author: sigbjornf <sigbjornf@opera.com> Date: Mon Nov 14 09:04:29 2016 Internals.setValueForUser(): add argument type check. R=tkent BUG= 642066 Review-Url: https://codereview.chromium.org/2500793002 Cr-Commit-Position: refs/heads/master@{#431845} [modify] https://crrev.com/827f68d2c9eda095e2f5876b846868efe4535c58/third_party/WebKit/Source/core/testing/Internals.cpp [modify] https://crrev.com/827f68d2c9eda095e2f5876b846868efe4535c58/third_party/WebKit/Source/core/testing/Internals.h [modify] https://crrev.com/827f68d2c9eda095e2f5876b846868efe4535c58/third_party/WebKit/Source/core/testing/Internals.idl
,
Nov 14 2016
,
Nov 15 2016
ClusterFuzz has detected this issue as fixed in range 431842:431847. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5454903453679616 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x1489d8f63278 Crash State: Bad-cast to blink::HTMLInputElement from blink::HTMLUnknownElement blink::Internals::setValueForUser blink::InternalsV8Internal::setValueForUserMethodCallback Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=431842:431847 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96vEtq_XcRtowOXWQREHpXu4TzDdjNovkiuILBZdcZBBT7PDtKY2Aj1FjU3xg-Jdh4F9_cOGRcC5ejxhYQQr2h8zKs4p-ZOw_u_pO99ggOi9lwne2RGpOFmYtsdc4MSg6dgPaFev6QR_xGOQYi92-3UUq0UnA?testcase_id=5454903453679616 <script> function test() { internals.setValueForUser(tf, 'Hello!'); } </script> <body onload="test()"> <animateMotion id="tf"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by infe...@chromium.org
, Aug 29 2016Labels: -Security_Impact-Stable Security_Impact-None
Status: WontFix (was: Untriaged)