New issue
Advanced search Search tips

Issue 663608 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocked on:
issue 611981



Sign in to add a comment

Crash in blink::LocalFrame::document

Project Member Reported by ClusterFuzz, Nov 9 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4970920138768384

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000160
Crash State:
  blink::LocalFrame::document
  blink::PointerEventManager::handleTouchEvents
  blink::EventHandler::handleTouchEvent
  

Minimized Testcase (0.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IyDdlhzXy6sZoWQj64UCqTkja5YIzFk78Keicd0IfKzJeP5uTkIFUyc5qtmfYhozDgom37GNEJTpjtD0r1_bGhOUUmQAfK3vgjmgVADmamj9L14bO91k4E9fbk-G770UFdGjzzsEGyHfvp1sl_YpuTybrgw?testcase_id=4970920138768384

Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: dtapu...@chromium.org mustaq@chromium.org
Components: Blink>Input
Labels: Hotlist-Input-Dev
Owner: nzolghadr@chromium.org
Status: Assigned (was: Untriaged)
Navid, please investigate.

Comment 2 by rbyers@chromium.org, Nov 10 2016

Blockedon: 611981
Status: Started (was: Assigned)
Caused by my change in  issue 611981 , Navid has a fix in the queue here: https://codereview.chromium.org/2485383004/

Thanks Navid!

Comment 3 by rbyers@chromium.org, Nov 10 2016

Issue 663634 has been merged into this issue.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 10 2016

Labels: Fracas


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 10 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/553e31530cf9dee59135026b5644dcdef0b0d181

commit 553e31530cf9dee59135026b5644dcdef0b0d181
Author: nzolghadr <nzolghadr@chromium.org>
Date: Thu Nov 10 02:06:29 2016

Add a null check for token creation to avoid crash

If touchpoint hit test doesn't return a node the
its targetFrame will be null and it could cause a
crash.

BUG= 663608 

Review-Url: https://codereview.chromium.org/2485383004
Cr-Commit-Position: refs/heads/master@{#431139}

[modify] https://crrev.com/553e31530cf9dee59135026b5644dcdef0b0d181/third_party/WebKit/Source/core/input/PointerEventManager.cpp

Status: Fixed (was: Started)
Cc: panicker@chromium.org caseq@chromium.org pfeldman@chromium.org ajha@chromium.org
Issue 663626 has been merged into this issue.
I will be cherry-picking this to branch 2913 (a random dev branch) so that we can ship a non-crashy build this week.
Project Member

Comment 9 by bugdroid1@chromium.org, Nov 11 2016

Labels: merge-merged-2913
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/84ee12c194e30068a0b4c652f83592849b1ad930

commit 84ee12c194e30068a0b4c652f83592849b1ad930
Author: Alex Mineer <amineer@chromium.org>
Date: Fri Nov 11 00:20:22 2016

Add a null check for token creation to avoid crash

If touchpoint hit test doesn't return a node the
its targetFrame will be null and it could cause a
crash.

BUG= 663608 

(cherry picked from commit 553e31530cf9dee59135026b5644dcdef0b0d181)

Review-Url: https://codereview.chromium.org/2485383004
Cr-Original-Commit-Position: refs/heads/master@{#431139}
Cr-Commit-Position: refs/branch-heads/2913@{#8}
Cr-Branched-From: 75d01e1f338c8a452f7d9aa80c2bfa463c0ce4f0-refs/heads/master@{#430459}

[modify] https://crrev.com/84ee12c194e30068a0b4c652f83592849b1ad930/third_party/WebKit/Source/core/input/PointerEventManager.cpp

Project Member

Comment 10 by ClusterFuzz, Nov 11 2016

ClusterFuzz has detected this issue as fixed in range 430994:431183.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4970920138768384

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000160
Crash State:
  blink::LocalFrame::document
  blink::PointerEventManager::handleTouchEvents
  blink::EventHandler::handleTouchEvent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=430994:431183

Minimized Testcase (0.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IyDdlhzXy6sZoWQj64UCqTkja5YIzFk78Keicd0IfKzJeP5uTkIFUyc5qtmfYhozDgom37GNEJTpjtD0r1_bGhOUUmQAfK3vgjmgVADmamj9L14bO91k4E9fbk-G770UFdGjzzsEGyHfvp1sl_YpuTybrgw?testcase_id=4970920138768384

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment