New issue
Advanced search Search tips

Issue 649510 link

Starred by 1 user
Status: Duplicate
Merged: issue 647602
Owner: ----
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::LayoutTextFragment::setTextFragment

Project Member Reported by ClusterFuzz, Sep 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6345864996192256

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x28eb9bbb
Crash State:
  blink::LayoutTextFragment::setTextFragment
  blink::FirstLetterPseudoElement::detachLayoutTree
  blink::PseudoElement::dispose
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=420311:420321

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94SwXUn8d58ha4U77sHWu3fjnhbgYVqCfnn-A3HNkB4wufyItHbJagkkhPYVbSrFcMRzlSmmRI1NloWamNZJApCrNuf95FfFqGL5DrMlDMjkY-VxwDkcQmvnagUNgCbMRyWNblq9ZU6m0v-hjJ3dgE2CaxoSQ?testcase_id=6345864996192256


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by elawrence@chromium.org, Sep 23 2016

Components: Blink>Layout
This looks much like  issue 647602  which was deemed flaky, the latest in a series of similar crashes.

ClusterFuzz's reported regression range may be bogus; there are only 10 CLs in it, and only three of those seem remotely likely to be involved: 

df7927edfbf1452c329f6891f0bf387f21a47f89 - Navigation changes around ServiceWorker
23d8f263fccca2ef163a9c3f1592d3a51e3a2d50 - Viewport overrides for devtools
0fccab70551979737eed882ec677337ede6f438e - Document* -> Document&

... and none of the three seems especially likely.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 23 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 23 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 23 2016

Labels: Pri-1

Comment 5 by elawrence@chromium.org, Sep 24 2016

Mergedinto: 647602
Status: Duplicate (was: Untriaged)
[2016-09-23 17:50:27] clusterfuzz-windows-0026: Regression task started.
[2016-09-23 17:54:45] clusterfuzz-windows-0026: Regression task errored out: Known crash revision 420321 did not crash.
[2016-09-23 17:54:46] clusterfuzz-windows-0026: Regression task errored out: Test case appears to be flaky.
Project Member

Comment 6 by sheriffbot@chromium.org, Mar 9 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment