New issue
Advanced search Search tips

Issue 649056 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Assertion failed: !object || (object->isBox())

Project Member Reported by ClusterFuzz, Sep 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4617959052148736

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !object || (object->isBox())
  blink::ThemePainterDefault::setupMenuListArrow
  blink::ThemePainterDefault::paintMenuList
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=419848:419971

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qUM-6OMNl1oZjHskl1cgcbOca6eYQzFB6E_bdc1JfPeCBQSJPA2QE3t9Ms2NeEQhs7KCUKLmEtLFl4iWy7JPEstjBPXLN19Q9tJKeQ6flkdAMIrvaZkXww3Xe7-q5Vfc9HiEE82jCkQ72jqazmkLwkSlmnQ?testcase_id=4617959052148736

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>Paint
Owner: malaykeshav@chromium.org
Status: Assigned (was: Untriaged)
Summary: Assertion failed: !object || (object->isBox()) (was: !object || (object->isBox()))
malaykeshav, can you have a look at this?

I /believe/ this isn't exploitable as it can only happen when useMockTheme() is running for layout tests.

Likely regressing changelist: https://chromium.googlesource.com/chromium/src/+/b195fcd2e028db859a382323fad3c6910e3205c4
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 22 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 22 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 22 2016

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63903481bbfd5173416a223bf160fc106f62d1b7

commit 63903481bbfd5173416a223bf160fc106f62d1b7
Author: malaykeshav <malaykeshav@chromium.org>
Date: Thu Sep 22 23:08:20 2016

Security fix while computing dropdown menu arrow width

There is no clean way to set the size for the dropdown menu arrow dynamically
without causing security bugs. Since this is only for tests, using a fixed
width works with _most_ of the test cases while the rest have minor changes
that are acceptable for layout tests.

Context: https://codereview.chromium.org/2340633002

BUG= 649095 ,  649056 ,  649058 ,  649132 ,  640256 
COMPONENT=ThemePainterDefault, Menu List Arrow
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2359753003
Cr-Commit-Position: refs/heads/master@{#420492}

[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/63903481bbfd5173416a223bf160fc106f62d1b7/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Sep 23 2016

ClusterFuzz has detected this issue as fixed in range 420372:420502.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4617959052148736

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !object || (object->isBox())
  blink::ThemePainterDefault::setupMenuListArrow
  blink::ThemePainterDefault::paintMenuList
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=419848:419971
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=420372:420502

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qUM-6OMNl1oZjHskl1cgcbOca6eYQzFB6E_bdc1JfPeCBQSJPA2QE3t9Ms2NeEQhs7KCUKLmEtLFl4iWy7JPEstjBPXLN19Q9tJKeQ6flkdAMIrvaZkXww3Xe7-q5Vfc9HiEE82jCkQ72jqazmkLwkSlmnQ?testcase_id=4617959052148736

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 23 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 30 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment