Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6189273441370112 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-buffer-overflow READ 2 Crash Address: 0xbad1710a Crash State: blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP blink::BreakingContext::handleText blink::LineBreaker::nextLineBreak Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=417948:418041 Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95f8LX3gY7SINwR_oq8Oy6c5bKgVSseRIvrHLcPkh47G-Ap2ECo5LEfbzQUKt943TgiiFVy6f2EzyUQesTs6WmqQYAgPvdv3EuC1w_wveEC8O5nu6hIv38DzrlR_cU9cJCCTNeE-GnyyPFym_W-1sSttkMrzA?testcase_id=6189273441370112 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 24 2016
,
Sep 24 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 25 2016
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d20ce6090a7fd879d433d9d8df0e50100914352b commit d20ce6090a7fd879d433d9d8df0e50100914352b Author: robhogan <robhogan@gmail.com> Date: Mon Sep 26 20:59:13 2016 Revert of Apply first-line transform-text style (patchset #1 id:1 of https://codereview.chromium.org/2339683004/ ) Reason for revert: This is still causing asan crashes. The crashes seem specific to cases where the transformed text is longer than the original text. I think the Iterator object is keeping a pointer to the text and the reallocation required fit the new text throws it out. Original issue's description: > Apply first-line transform-text style > > A third go at https://crrev.com/3c64df1fc98aa06eabfc18d1f5c2f2b0aec1a658 > > Although I still can't reproduce the clusterfuzz reports locally I'm confident > this will cure the specific crashes because I'm no longer transforming the > first line's text unless it has a distinct first-line style (:/). > > BUG= 129669 , 644733 > > Committed: https://crrev.com/e17f77cab60f321629c438796cc14fae3f2fa7dc > Cr-Commit-Position: refs/heads/master@{#418840} TBR=eae@chromium.org BUG= 129669 , 644733 , 649810 Review-Url: https://codereview.chromium.org/2369113002 Cr-Commit-Position: refs/heads/master@{#420988} [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-capitalize.html [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase-expected.txt [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line-lowercase.html [delete] https://crrev.com/8c8b27dda56ab54ec9028335ff0328aae0530feb/third_party/WebKit/LayoutTests/fast/text/transform-text-first-line.html [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/LayoutText.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/LayoutText.h [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/api/LineLayoutText.h [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineFlowBox.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineTextBox.cpp [modify] https://crrev.com/d20ce6090a7fd879d433d9d8df0e50100914352b/third_party/WebKit/Source/core/layout/line/InlineTextBox.h
,
Sep 27 2016
ClusterFuzz has detected this issue as fixed in range 420859:421049. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6189273441370112 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-buffer-overflow READ 2 Crash Address: 0xbad1710a Crash State: blink::LazyLineBreakIterator::nextBreakablePositionIgnoringNBSP blink::BreakingContext::handleText blink::LineBreaker::nextLineBreak Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=417948:418041 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=420859:421049 Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95f8LX3gY7SINwR_oq8Oy6c5bKgVSseRIvrHLcPkh47G-Ap2ECo5LEfbzQUKt943TgiiFVy6f2EzyUQesTs6WmqQYAgPvdv3EuC1w_wveEC8O5nu6hIv38DzrlR_cU9cJCCTNeE-GnyyPFym_W-1sSttkMrzA?testcase_id=6189273441370112 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
,
Oct 25 2016
,
Jan 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 23 2016Labels: Pri-1
Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)