New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664399 link

Starred by 3 users
Status: Fixed
Owner:
sigbjo...@opera.com
Email to this user bounced
Closed: Nov 2016
Cc:
ifratric@google.com
nyerramilli@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::DOMParser::parseFromString

Project Member Reported by ClusterFuzz, Nov 11 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5747502033928192

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000000a8
Crash State:
  blink::DOMParser::parseFromString
  blink::DOMParserV8Internal::parseFromStringMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=429249:429264

Minimized Testcase (0.64 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv967Tqp7LI51MqksjgjrvPEZb0Q9fqMF93j8wttrqrqTbc_JWC8WEpcQvCRZ01JD_l6pQHA3xaMFgNjvZOSqfYbkct7qdcDPb1SNsE7DLXY7nnGf8ZbILOd6X6UvODSPUjTOEHGRhKv97xCg1ImVwD-_s2EVzw?testcase_id=5747502033928192
<script>
function jsfuzzer() {
 htmlvar00021.click(); 
 /* DOMParser*/ var var00451 = new DOMParser(); 
 /* SupportedType*/ var var00452 = "text/html"; 
 /* Document*/ var var00450 = var00451.parseFromString("waiting",var00452); 
}
function eventhandler4() {
 /* DOMParser*/ var var00030 = new DOMParser(); 
 /* URL*/ var var00428 = new URL("http://foo/bar"); 
 /* USVString*/ var var00427 = var00428.origin; 
 htmlvar00021.hostname = var00427; 
}
</script>
<body onload=jsfuzzer()>
<audio onloadstart="eventhandler4()">
<source id="htmlvar00015"</source>
<area id="htmlvar00021" accesskey="'" shape="poly" href="Yu&gt; Xl\" link="green" open="true">


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Nov 11 2016

Cc: nyerramilli@chromium.org
Components: Blink
Labels: Test-Predator-Wrong-CLs Needs-triage M-56
Providing Findit results for internal purpose:

Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 73 of file PassRefPtr.h, which is stack frame 0.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 31 of file DOMParser.cpp, which is stack frame 1.

Suspected Project: chromium

Unable to find the culprit, could someone please check the issue and help.

Comment 2 by dtapu...@chromium.org, Nov 11 2016

Components: -Blink Blink>Loader

Comment 3 by sigbjo...@opera.com, Nov 16 2016

Owner: sigbjo...@opera.com
Status: Assigned (was: Untriaged)
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 17 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965

commit 65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965
Author: sigbjornf <sigbjornf@opera.com>
Date: Thu Nov 17 06:17:42 2016

DOMParser: handle use from contexts without an "active document".

Handle detached uses of parseFromString(), where there is no context
document to inherit the security origin from.

Relevant spec reference,

 https://w3c.github.io/DOM-Parsing/#dom-domparser-parsefromstring

R=
BUG= 664399 

Review-Url: https://codereview.chromium.org/2509813002
Cr-Commit-Position: refs/heads/master@{#432782}

[add] https://crrev.com/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965/third_party/WebKit/LayoutTests/fast/dom/DOMParser-detached-no-crash.html
[modify] https://crrev.com/65527a9ebb7eb8fd34c2f61b03ae7c85b7da5965/third_party/WebKit/Source/core/xml/DOMParser.cpp

Comment 5 by sigbjo...@opera.com, Nov 17 2016

Status: Fixed (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Nov 18 2016 

ClusterFuzz has detected this issue as fixed in range 432588:432830.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5747502033928192

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000000a8
Crash State:
  blink::DOMParser::parseFromString
  blink::DOMParserV8Internal::parseFromStringMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=429249:429264
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=432588:432830

Minimized Testcase (0.64 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv967Tqp7LI51MqksjgjrvPEZb0Q9fqMF93j8wttrqrqTbc_JWC8WEpcQvCRZ01JD_l6pQHA3xaMFgNjvZOSqfYbkct7qdcDPb1SNsE7DLXY7nnGf8ZbILOd6X6UvODSPUjTOEHGRhKv97xCg1ImVwD-_s2EVzw?testcase_id=5747502033928192
<script>
function jsfuzzer() {
 htmlvar00021.click(); 
 /* DOMParser*/ var var00451 = new DOMParser(); 
 /* SupportedType*/ var var00452 = "text/html"; 
 /* Document*/ var var00450 = var00451.parseFromString("waiting",var00452); 
}
function eventhandler4() {
 /* DOMParser*/ var var00030 = new DOMParser(); 
 /* URL*/ var var00428 = new URL("http://foo/bar"); 
 /* USVString*/ var var00427 = var00428.origin; 
 htmlvar00021.hostname = var00427; 
}
</script>
<body onload=jsfuzzer()>
<audio onloadstart="eventhandler4()">
<source id="htmlvar00015"</source>
<area id="htmlvar00021" accesskey="'" shape="poly" href="Yu&gt; Xl\" link="green" open="true">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by dominicc@chromium.org, Nov 29 2016 

Issue 667700 has been merged into this issue.

Sign in to add a comment