New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 642999 link

Starred by 1 user
Status: Duplicate
Merged: issue 642803
Owner:
enne@chromium.org
Closed: Sep 2016
Cc:
penghuang@chromium.org
rjkroege@chromium.org
vmi...@chromium.org
sadrul@chromium.org
piman@chromium.org
siev...@chromium.org
kylec...@chromium.org
enne@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to cc::BeginFrameSource from invalid vptr

Project Member Reported by ClusterFuzz, Sep 1 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815935561269248

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000000000000
Crash State:
  Bad-cast to cc::BeginFrameSource from invalid vptr
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97sIjKJw5sbHqpBiyZ6eLD9HzSFM3T6DfjdLueA4odIFFL-9hAhKUkLH2_I2xLXywPZyla5-ZpxlxGpZ5sNzz4rKhqKWBZEO3Jt0lAuHBmxWDIaDV79rgSnW4rjuIMHg0v2MPNyPd1rKbPFf0Gf7j5uWtRrjA?testcase_id=4815935561269248


Additional requirements: Requires Gestures

Issue manually filed by: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by vakh@chromium.org, Sep 1 2016

Cc: rjkroege@chromium.org sadrul@chromium.org enne@chromium.org kylec...@chromium.org markdittmer@chromium.org piman@chromium.org vmi...@chromium.org penghuang@chromium.org siev...@chromium.org
Components: MUS
Owner: danakj@chromium.org
danakj@ -- can you please take a look and help triage? Thanks.

Comment 2 by vakh@chromium.org, Sep 1 2016

Labels: Pri-1
Making P1 based on current severity. Please feel free to update.

Comment 3 by vakh@chromium.org, Sep 1 2016

Labels: Security_Impact-Head
This seems to be the culprit CL: https://chromium.googlesource.com/chromium/src/+/6f2861b9c957c7374a2a2c084c6cafba01b5e5d6
Applying label Security_Impact-Head based on that CL's recency.

Comment 4 by markdittmer@chromium.org, Sep 1 2016

Cc: -markdittmer@chromium.org
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 1 2016

Labels: M-54
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 1 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 1 2016

Status: Assigned (was: Untriaged)

Comment 9 by enne@chromium.org, Sep 1 2016 

vakh: How did you determine this was danakj's CL? The stack trace really does look more like this is a dupe of  issue 642803 , caused the CL that vmiura mentions in #5.

Comment 10 by danakj@chromium.org, Sep 1 2016 

I can't see 642803 but I was going to guess-assign this to enne@ for changing BFS types stuff :)

Comment 11 by danakj@chromium.org, Sep 1 2016

Mergedinto: 642803
Owner: enne@chromium.org
Status: Duplicate (was: Assigned)
I think it is your CL enne. It's in the fuzz regression range (my SetVisible one is not)
Project Member

Comment 12 by sheriffbot@chromium.org, Dec 16 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by lafo...@chromium.org, Feb 26 2018

Components: -MUS Internals>Services>WindowService

Sign in to add a comment