Hello Navid,

I'm assigning this security ticket to you due to your recent CLs touching PointerEventManager.cpp.  Feel free to adjust labels or re-assign as appropriate.

Thank you!

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

nzolghadr: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug is reported as M55 Beta blocker.Please try to resolve this before M55 branch on Oct 6th,2016 so it has enough baking time in Dev.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a430a3b64fd38591f2fb2b0d86af24a32918f224

commit a430a3b64fd38591f2fb2b0d86af24a32918f224
Author: nzolghadr <nzolghadr@chromium.org>
Date: Fri Sep 30 14:44:58 2016

Fix use of uninitialized value in msan builds

BUG= 647024 

Review-Url: https://codereview.chromium.org/2382873003
Cr-Commit-Position: refs/heads/master@{#422108}

[modify] https://crrev.com/a430a3b64fd38591f2fb2b0d86af24a32918f224/third_party/WebKit/Source/core/events/PointerEventFactory.h

ClusterFuzz has detected this issue as fixed in range 422097:422120.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5217576961703936

Fuzzer: inferno_twister
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::PointerEventManager::setPointerCapture
  blink::ElementV8Internal::setPointerCaptureMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=418438:418498
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=422097:422120

Minimized Testcase (2.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Ko7S-qgxtY7O59K2oAcPoja_wjH1GIwnbmJukwdoJ7WB-t8aldtSewdHI0Hef1QlTCp01aQfMjLTQwWYNma9lNGA4aS7A-ZA1IlNEJ8ahbkrXQApvMV0BWiaR-2dCoo1C4bK4OisGU6SoKscq2vX1iYqo_w?testcase_id=5217576961703936

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot