Crash in blink::DOMParser::parseFromString |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5747502033928192 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000a8 Crash State: blink::DOMParser::parseFromString blink::DOMParserV8Internal::parseFromStringMethodCallback v8::internal::FunctionCallbackArguments::Call Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=429249:429264 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv967Tqp7LI51MqksjgjrvPEZb0Q9fqMF93j8wttrqrqTbc_JWC8WEpcQvCRZ01JD_l6pQHA3xaMFgNjvZOSqfYbkct7qdcDPb1SNsE7DLXY7nnGf8ZbILOd6X6UvODSPUjTOEHGRhKv97xCg1ImVwD-_s2EVzw?testcase_id=5747502033928192 <script> function jsfuzzer() { htmlvar00021.click(); /* DOMParser*/ var var00451 = new DOMParser(); /* SupportedType*/ var var00452 = "text/html"; /* Document*/ var var00450 = var00451.parseFromString("waiting",var00452); } function eventhandler4() { /* DOMParser*/ var var00030 = new DOMParser(); /* URL*/ var var00428 = new URL("http://foo/bar"); /* USVString*/ var var00427 = var00428.origin; htmlvar00021.hostname = var00427; } </script> <body onload=jsfuzzer()> <audio onloadstart="eventhandler4()"> <source id="htmlvar00015"</source> <area id="htmlvar00021" accesskey="'" shape="poly" href="Yu> Xl\" link="green" open="true"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 11 2016
,
Nov 16 2016
,
Nov 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965 commit 65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965 Author: sigbjornf <sigbjornf@opera.com> Date: Thu Nov 17 06:17:42 2016 DOMParser: handle use from contexts without an "active document". Handle detached uses of parseFromString(), where there is no context document to inherit the security origin from. Relevant spec reference, https://w3c.github.io/DOM-Parsing/#dom-domparser-parsefromstring R= BUG= 664399 Review-Url: https://codereview.chromium.org/2509813002 Cr-Commit-Position: refs/heads/master@{#432782} [add] https://crrev.com/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965/third_party/WebKit/LayoutTests/fast/dom/DOMParser-detached-no-crash.html [modify] https://crrev.com/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965/third_party/WebKit/Source/core/xml/DOMParser.cpp
,
Nov 17 2016
,
Nov 18 2016
ClusterFuzz has detected this issue as fixed in range 432588:432830. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5747502033928192 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000a8 Crash State: blink::DOMParser::parseFromString blink::DOMParserV8Internal::parseFromStringMethodCallback v8::internal::FunctionCallbackArguments::Call Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=429249:429264 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=432588:432830 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv967Tqp7LI51MqksjgjrvPEZb0Q9fqMF93j8wttrqrqTbc_JWC8WEpcQvCRZ01JD_l6pQHA3xaMFgNjvZOSqfYbkct7qdcDPb1SNsE7DLXY7nnGf8ZbILOd6X6UvODSPUjTOEHGRhKv97xCg1ImVwD-_s2EVzw?testcase_id=5747502033928192 <script> function jsfuzzer() { htmlvar00021.click(); /* DOMParser*/ var var00451 = new DOMParser(); /* SupportedType*/ var var00452 = "text/html"; /* Document*/ var var00450 = var00451.parseFromString("waiting",var00452); } function eventhandler4() { /* DOMParser*/ var var00030 = new DOMParser(); /* URL*/ var var00428 = new URL("http://foo/bar"); /* USVString*/ var var00427 = var00428.origin; htmlvar00021.hostname = var00427; } </script> <body onload=jsfuzzer()> <audio onloadstart="eventhandler4()"> <source id="htmlvar00015"</source> <area id="htmlvar00021" accesskey="'" shape="poly" href="Yu> Xl\" link="green" open="true"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 29 2016
Issue 667700 has been merged into this issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by nyerramilli@chromium.org
, Nov 11 2016Components: Blink
Labels: Test-Predator-Wrong-CLs Needs-triage M-56