Issue metadata
Sign in to add a comment
|
Crash in blink::SharedBuffer::mergeSegmentsIntoBuffer |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5343837331652608 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000001c Crash State: blink::SharedBuffer::mergeSegmentsIntoBuffer blink::SharedBuffer::data blink::LinkStyle::setCSSStyleSheet Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424939:424963 Minimized Testcase (0.06 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95RSA1N2N7gZfAotk1afCwP2xykF_1f84DskxtzRyjYtu59MmJAYG9XIgEHzVmlR4CIevfaGIXWxl93dF7zqCL7y2HZYUu2XaNizhDLlj3BVWhtDBiBo9gwpK-kgjvPdz46uF1sXGJOpTwdLavh8olzhRGACQ?testcase_id=5343837331652608 <script> window.location = "http://alabamaoutdoors.com";</script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 14 2016
Hm it looks like resourceBuffer() is null but we didn't hit the DCHECK. mummareddy: are fuzzers running with DHCECKs on these days? How can I check that?
,
Oct 14 2016
I can repro on TOT #425249 with an asan build. Ha "minimized testcase". Moving kouhei to cc and I'll see if I can look into this today.
,
Oct 14 2016
Ha! The crash is caused if we try loading a CSS file with 0 length :) Will try to send out a fix.
,
Oct 14 2016
,
Oct 17 2016
,
Oct 18 2016
ClusterFuzz has detected this issue as fixed in range 425603:425612. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5343837331652608 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000001c Crash State: blink::SharedBuffer::mergeSegmentsIntoBuffer blink::SharedBuffer::data blink::LinkStyle::setCSSStyleSheet Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424939:424963 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=425603:425612 Minimized Testcase (0.06 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95RSA1N2N7gZfAotk1afCwP2xykF_1f84DskxtzRyjYtu59MmJAYG9XIgEHzVmlR4CIevfaGIXWxl93dF7zqCL7y2HZYUu2XaNizhDLlj3BVWhtDBiBo9gwpK-kgjvPdz46uF1sXGJOpTwdLavh8olzhRGACQ?testcase_id=5343837331652608 <script> window.location = "http://alabamaoutdoors.com";</script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Oct 13 2016Labels: M-56 Te-Logged
Owner: kouhei@chromium.org
Status: Assigned (was: Untriaged)