This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Dominic,

AXTree fuzzer related.

Two other minimized testcases (646695, 646696) were the same root cause, fix here.

https://codereview.chromium.org/2377443002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c4d7605d5a8d55c703e6ac30754375b661478128

commit c4d7605d5a8d55c703e6ac30754375b661478128
Author: dmazzoni <dmazzoni@chromium.org>
Date: Wed Sep 28 22:17:25 2016

Fix another bug in AXTree caught by libfuzzer

There were three cases found by libfuzzer but they all had the same
root cause. Very similar to the previous issues fixed, basically
cleaning up memory properly if we get a bogus tree with things like
circular references.

Specifically, when the root of the tree changes but then
unserialization fails, we destroy the whole tree on exiting
because there's no other way to preserve it. After deleting
the old root, we then need to clean up |node|, but not if
it was already deleted or reused.

Previously we were checking if |node| was the same as |old_root|,
but really we wanted to check if |node| was deleted at all,
since it may have been a child of |old_root|.

BUG= 646795 

Review-Url: https://codereview.chromium.org/2377443002
Cr-Commit-Position: refs/heads/master@{#421658}

[modify] https://crrev.com/c4d7605d5a8d55c703e6ac30754375b661478128/ui/accessibility/ax_tree.cc
[modify] https://crrev.com/c4d7605d5a8d55c703e6ac30754375b661478128/ui/accessibility/ax_tree_unittest.cc

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 421621:421693.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263210183917568

Fuzzer: libfuzzer_ax_tree_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x612000000df8
Crash State:
  id
  HasChangedNode
  DestroySubtree
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=418295:418446
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=421621:421693

Minimized Testcase (0.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965PxN_mS9snIgBnGu4dT9QqzUKKFhUIIWRDShOxbXoovMo9U_Ez7Gs0Oo5TT3AdvzFSO4DBVaABTy_fKe3702bK1o2CY_4lDxdvzMhX0bfxPHrAPv1YTp9A2hcEtntI2xe4kvsTRtKzXaHlXePj46-R_YQtQ?testcase_id=5263210183917568

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot