New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 655812 link

Starred by 1 user
Status: Duplicate
Merged: issue 655807
Owner:
csharrison@chromium.org
Closed: Oct 2016
Cc:
kouhei@chromium.org
csharrison@chromium.org
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::SharedBuffer::mergeSegmentsIntoBuffer

Project Member Reported by ClusterFuzz, Oct 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5343837331652608

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000001c
Crash State:
  blink::SharedBuffer::mergeSegmentsIntoBuffer
  blink::SharedBuffer::data
  blink::LinkStyle::setCSSStyleSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424939:424963

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95RSA1N2N7gZfAotk1afCwP2xykF_1f84DskxtzRyjYtu59MmJAYG9XIgEHzVmlR4CIevfaGIXWxl93dF7zqCL7y2HZYUu2XaNizhDLlj3BVWhtDBiBo9gwpK-kgjvPdz46uF1sXGJOpTwdLavh8olzhRGACQ?testcase_id=5343837331652608
<script>
window.location = "http://alabamaoutdoors.com";</script>


Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Oct 13 2016

Components: Blink>Loader Tools>Test>FindIt>CorrectResult
Labels: M-56 Te-Logged
Owner: kouhei@chromium.org
Status: Assigned (was: Untriaged)
Author: kouhei
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/afa48c3ed31f7229c306ce7cda62111be593f719
Time: Thu Oct 13 03:04:01 2016
Lines 146-151 of file CSSStyleSheetResource.cpp which potentially caused crash are changed in this cl (frame #3, "blink::CSSStyleSheetResource::checkNotify").

Lines 441-462 of file HTMLLinkElement.cpp which potentially caused crash are changed in this cl (frame #2, "blink::LinkStyle::setCSSStyleSheet").
Minimum distance from crash line to modified line: 0. (file: HTMLLinkElement.cpp, crashed on: 441, modified: 441).

Suspected Project: chromium
Suspected Component: Blink>Loader

Comment 2 by csharrison@chromium.org, Oct 14 2016

Cc: mummare...@chromium.org csharrison@chromium.org
Hm it looks like resourceBuffer() is null but we didn't hit the DCHECK. 
mummareddy: are fuzzers running with DHCECKs on these days? How can I check that?

Comment 3 by csharrison@chromium.org, Oct 14 2016

Cc: kouhei@chromium.org
Owner: ----
Status: Available (was: Assigned)
I can repro on TOT #425249 with an asan build. Ha "minimized testcase". Moving kouhei to cc and I'll see if I can look into this today.

Comment 4 by csharrison@chromium.org, Oct 14 2016 

Ha! The crash is caused if we try loading a CSS file with 0 length :) Will try to send out a fix.

Comment 5 by csharrison@chromium.org, Oct 14 2016

Owner: csharrison@chromium.org
Status: Started (was: Available)

Comment 6 by kouhei@chromium.org, Oct 17 2016

Mergedinto: 655807
Status: Duplicate (was: Started)
Project Member

Comment 7 by ClusterFuzz, Oct 18 2016 

ClusterFuzz has detected this issue as fixed in range 425603:425612.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5343837331652608

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000001c
Crash State:
  blink::SharedBuffer::mergeSegmentsIntoBuffer
  blink::SharedBuffer::data
  blink::LinkStyle::setCSSStyleSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424939:424963
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=425603:425612

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95RSA1N2N7gZfAotk1afCwP2xykF_1f84DskxtzRyjYtu59MmJAYG9XIgEHzVmlR4CIevfaGIXWxl93dF7zqCL7y2HZYUu2XaNizhDLlj3BVWhtDBiBo9gwpK-kgjvPdz46uF1sXGJOpTwdLavh8olzhRGACQ?testcase_id=5343837331652608
<script>
window.location = "http://alabamaoutdoors.com";</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment