Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6375056907436032 Fuzzer: inferno_twister Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 2 Crash Address: 0x60f0000395c6 Crash State: blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP blink::BreakingContext::handleText blink::LineBreaker::nextLineBreak Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=416606:416613 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97UMK88gLtI1XfoHOl80ll750fiUceQXNovouZhlR49d2-K0ACfB45XO3W0NVkbcWsvY08b2ZO4oBbOtTZCTJMwSzDQRMJJ1xViZNakjDtn7nJV9yf3amZ_wLFKBhPwqXI_v84nB2k2oky6i3xk_5ju_u8zxA?testcase_id=6375056907436032 Test: OS灤㌝.c92 { animation-name: cfpulse92;<style> * { animation-name: cfpulse73; text-transform: capitalize;<script> Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
almost certainly https://codereview.chromium.org/2305833002 which is 3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 and in revision range and touched function blink::LayoutText::applyTextTransformFromTo in call stack. I will revert shortly.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b918a399a2af11b95df12949815b20c7b2b2a482 commit b918a399a2af11b95df12949815b20c7b2b2a482 Author: wfh <wfh@chromium.org> Date: Thu Sep 08 01:38:40 2016 Revert of Apply first-line transform-text style (patchset #1 id:1 of https://codereview.chromium.org/2305833002/ ) Reason for revert: see crbug.com/644733 Original issue's description: > Apply first-line transform-text style > BUG= 129669 > > Committed: https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 > Cr-Commit-Position: refs/heads/master@{#416608} TBR=eae@chromium.org,robhogan@gmail.com # Not skipping CQ checks because original CL landed more than 1 days ago. BUG= 129669 , 644733 Review-Url: https://codereview.chromium.org/2317303002 Cr-Commit-Position: refs/heads/master@{#417154} [delete] https://crrev.com/05fc08750bd6c061013232ed4879b4e73f47e94b/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [delete] https://crrev.com/05fc08750bd6c061013232ed4879b4e73f47e94b/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/b918a399a2af11b95df12949815b20c7b2b2a482/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Reverted, marking as fixed.
ClusterFuzz has detected this issue as fixed in range 417138:417186. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6375056907436032 Fuzzer: inferno_twister Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 2 Crash Address: 0x60f0000395c6 Crash State: blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP blink::BreakingContext::handleText blink::LineBreaker::nextLineBreak Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=416606:416613 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=417138:417186 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97UMK88gLtI1XfoHOl80ll750fiUceQXNovouZhlR49d2-K0ACfB45XO3W0NVkbcWsvY08b2ZO4oBbOtTZCTJMwSzDQRMJJ1xViZNakjDtn7nJV9yf3amZ_wLFKBhPwqXI_v84nB2k2oky6i3xk_5ju_u8zxA?testcase_id=6375056907436032 Test: OS灤㌝.c92 { animation-name: cfpulse92;<style> * { animation-name: cfpulse73; text-transform: capitalize;<script> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa commit 25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa Author: robhogan <robhogan@gmail.com> Date: Mon Sep 12 20:42:02 2016 Apply first-line transform-text style A second go at https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 BUG= 129669 , 644733 Review-Url: https://codereview.chromium.org/2331793002 Cr-Commit-Position: refs/heads/master@{#418032} [add] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [add] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
Re-opening this ticket, due to https://bugs.chromium.org/p/chromium/issues/detail?id=646348, which appears to still be hitting.
Issue 646348 has been merged into this issue.
Can you add me to that issue please?
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bb4ee8efe0d1e24a11a9f397a480908012b31acc commit bb4ee8efe0d1e24a11a9f397a480908012b31acc Author: robhogan <robhogan@gmail.com> Date: Wed Sep 14 00:16:02 2016 Revert of Apply first-line transform-text style (patchset #3 id:40001 of https://codereview.chromium.org/2331793002/ ) Reason for revert: Still hitting clusterfuzz. Original issue's description: > Apply first-line transform-text style > > A second go at https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 > > BUG= 129669 , 644733 > > Committed: https://crrev.com/25c2cadce2d4a92f4f0f8b669fed2d097a6b7afa > Cr-Commit-Position: refs/heads/master@{#418032} TBR=eae@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. BUG= 129669 , 644733 Review-Url: https://codereview.chromium.org/2337133004 Cr-Commit-Position: refs/heads/master@{#418432} [delete] https://crrev.com/4aabce05f776aa8c56e1d208f9c27423ea90690b/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [delete] https://crrev.com/4aabce05f776aa8c56e1d208f9c27423ea90690b/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/bb4ee8efe0d1e24a11a9f397a480908012b31acc/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
@pennymac, could you add me to https://bugs.chromium.org/p/chromium/issues/detail?id=646348 please?
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e17f77cab60f321629c438796cc14fae3f2fa7dc commit e17f77cab60f321629c438796cc14fae3f2fa7dc Author: robhogan <robhogan@gmail.com> Date: Thu Sep 15 12:07:33 2016 Apply first-line transform-text style A third go at https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 Although I still can't reproduce the clusterfuzz reports locally I'm confident this will cure the specific crashes because I'm no longer transforming the first line's text unless it has a distinct first-line style (:/). BUG= 129669 , 644733 Review-Url: https://codereview.chromium.org/2339683004 Cr-Commit-Position: refs/heads/master@{#418840} [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize-expected.txt [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize.html [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase-expected.txt [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase.html [add] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d20ce6090a7fd879d433d9d8df0e50100914352b commit d20ce6090a7fd879d433d9d8df0e50100914352b Author: robhogan <robhogan@gmail.com> Date: Mon Sep 26 20:59:13 2016 Revert of Apply first-line transform-text style (patchset #1 id:1 of https://codereview.chromium.org/2339683004/ ) Reason for revert: This is still causing asan crashes. The crashes seem specific to cases where the transformed text is longer than the original text. I think the Iterator object is keeping a pointer to the text and the reallocation required fit the new text throws it out. Original issue's description: > Apply first-line transform-text style > > A third go at https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 > > Although I still can't reproduce the clusterfuzz reports locally I'm confident > this will cure the specific crashes because I'm no longer transforming the > first line's text unless it has a distinct first-line style (:/). > > BUG= 129669 , 644733 > > Committed: https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc > Cr-Commit-Position: refs/heads/master@{#418840} TBR=eae@chromium.org BUG= 129669 , 644733 , 649810 Review-Url: https://codereview.chromium.org/2369113002 Cr-Commit-Position: refs/heads/master@{#420988} [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize.html [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase.html [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6730d40caf6a1fc4bc6a6f05903730226dd0f54e commit 6730d40caf6a1fc4bc6a6f05903730226dd0f54e Author: Robert Hogan <robhogan@gmail.com> Date: Thu Aug 31 22:33:11 2017 Apply first-line transform-text style This is a new attempt at applying text transform using first-line style. Previous attempts manipulated the string stored in the layout object, but this revised approach instead manipulates the text at paint time. The does have the downside that if you copy/paste the text you won't get the transformed text, but that appears to be OK per the spec https://drafts.csswg.org/css-text-3/#text-transform which says: "This property transforms text for styling purposes. (It has no effect on the underlying content.)" Bug: 129669 , 644733 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I68b9cda7d92fdd19f4dd71854dd9d41c26c74c90 Reviewed-on: https://chromium-review.googlesource.com/603855 Reviewed-by: Emil A Eklund <eae@chromium.org> Commit-Queue: Robert Hogan <robhogan@gmail.com> Cr-Commit-Position: refs/heads/master@{#499052} [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize-expected.html [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize.html [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.html [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase-expected.html [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase.html [add] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/6730d40caf6a1fc4bc6a6f05903730226dd0f54e/third_party/WebKit/Source/core/paint/InlineTextBoxPainter.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/874f00072f7239eeafe6c2d98bdee58baf65f6e7 commit 874f00072f7239eeafe6c2d98bdee58baf65f6e7 Author: Koji Ishii <kojii@chromium.org> Date: Wed May 09 09:17:16 2018 Fix fast/text/transform-text-first-line.html not to rely on a known issue The new approach to apply the 'text-transform' property to ::first-line pseudo element[1] has a known issue that, since it transforms at paint time, line breaking is measured against non-transformed text. The test fast/text/transform-text-first-line.html relies on line breaking is measured against small letters, but this issue does not exist in LayoutNG. This patch fixes the test by using Ahem. Because Ahem has different glyph but the same width for small letter 'p', it can test which letters are capitalized without line breaking being affected by the issue. [1] https://chromium-review.googlesource.com/603855 TBR=eae@chromium.org Bug: 129669 , 644733 , 636993 Change-Id: Ie0a14652c43d4b863ea0fd9bf40d8ab17f39d0ea Reviewed-on: https://chromium-review.googlesource.com/1051067 Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#557129} [modify] https://crrev.com/874f00072f7239eeafe6c2d98bdee58baf65f6e7/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.html [modify] https://crrev.com/874f00072f7239eeafe6c2d98bdee58baf65f6e7/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html
Comment 1 by wfh@chromium.org
, Sep 7 2016Components: Blink>Layout Blink
Labels: -OS-Linux OS-All Pri-2
Owner: robho...@gmail.com
Status: Assigned (was: Untriaged)