Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutTextFragment::setTextFragment |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6567724890456064 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free WRITE 4 Crash Address: 0x6100000942d8 Crash State: blink::LayoutTextFragment::setTextFragment blink::FirstLetterPseudoElement::detachLayoutTree blink::PseudoElement::dispose Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=431847:431862 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97lm46EsARPsVymAHwsyDHcD4wwj4YcwnZm6Gm57gsULEb8WXsZapSAyp-EhFLX-QJmkmcSh0UbRi2q1Ctcf9QU_V7ctnLcjOqQjaIbo-yytVh3iFhwFHXNMGDC1B05S7oix6y2obuPjMNaYbNKPlSEX-kVuw?testcase_id=6567724890456064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 15 2016
Thanks rickyz@. +1, we should try to get a reproducible case and investigate the root cause.
,
Nov 28 2016
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/338b38e06760302a8010bfea008865f55db4db0c commit 338b38e06760302a8010bfea008865f55db4db0c Author: kojii <kojii@chromium.org> Date: Tue Nov 29 16:20:12 2016 Avoid updateStyleAndLayoutTree in determineAccessibilityRole This patch avoids updating layout tree in AXNodeObject::determineAccessibilityRole(). Element::isFocusable() requires styles to be updated. However, when layout code calls determineAccessibilityRole(), updating layout tree should be avoided since it may destroy the calling object. This patch replaces it to supportsFocus(), since the main purpose is to give elements with tabIndex explicitly set get some role. This is a speculative fix. BUG=590369, 647602 , 665168 Review-Url: https://codereview.chromium.org/2532023002 Cr-Commit-Position: refs/heads/master@{#435009} [modify] https://crrev.com/338b38e06760302a8010bfea008865f55db4db0c/third_party/WebKit/Source/modules/accessibility/AXNodeObject.cpp
,
Dec 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/13ae3f245af2124718f024ae13f328c27c618f09 commit 13ae3f245af2124718f024ae13f328c27c618f09 Author: Koji Ishii <kojii@chromium.org> Date: Thu Dec 01 08:28:25 2016 Merge 2924: Avoid updateStyleAndLayoutTree in determineAccessibilityRole This patch avoids updating layout tree in AXNodeObject::determineAccessibilityRole(). Element::isFocusable() requires styles to be updated. However, when layout code calls determineAccessibilityRole(), updating layout tree should be avoided since it may destroy the calling object. This patch replaces it to supportsFocus(), since the main purpose is to give elements with tabIndex explicitly set get some role. This is a speculative fix. BUG=590369, 647602 , 665168 Review-Url: https://codereview.chromium.org/2532023002 Cr-Commit-Position: refs/heads/master@{#435009} (cherry picked from commit 338b38e06760302a8010bfea008865f55db4db0c) Review URL: https://codereview.chromium.org/2542883002 . Cr-Commit-Position: refs/branch-heads/2924@{#241} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} [modify] https://crrev.com/13ae3f245af2124718f024ae13f328c27c618f09/third_party/WebKit/Source/modules/accessibility/AXNodeObject.cpp
,
Mar 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Nov 14 2016Mergedinto: 647602
Owner: mmoroz@chromium.org
Status: Duplicate (was: Untriaged)