Heap-use-after-free in test_runner::MockColorChooser::endChooser |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6345937736957952 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61500015e0a8 Crash State: test_runner::MockColorChooser::endChooser blink::ColorChooserUIController::~ColorChooserUIController blink::NormalPage::sweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=376355:376399 Minimized Testcase (2.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97CLRs5CDO0sGBhdkfy8CLypdbkgOiHfL2Greox-HkKa4pBKQsJXEfYw_0chCuTAA1elNQSaVF_SEBTRSmQ47V-JmLGQLq3k5_TddgfgAYOja94Fa0SLlH-9Z8i_FywAQw9enncd8qmCFMRCPwLXQF3qpsCvA?testcase_id=6345937736957952 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 4 2016
,
Dec 4 2016
,
Dec 18 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 29 2016
Seems to be test only. Removing from the security queue.
,
Jan 4 2017
,
Jan 4 2017
TestRunner is torn down before the ColorChooserUIController finalizer(s) get to run.
,
Jan 20 2017
ClusterFuzz has detected this issue as fixed in range 444813:444844. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6345937736957952 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61500015e0a8 Crash State: test_runner::MockColorChooser::endChooser blink::ColorChooserUIController::~ColorChooserUIController blink::NormalPage::sweep Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=376355:376399 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=444813:444844 Minimized Testcase (2.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97CLRs5CDO0sGBhdkfy8CLypdbkgOiHfL2Greox-HkKa4pBKQsJXEfYw_0chCuTAA1elNQSaVF_SEBTRSmQ47V-JmLGQLq3k5_TddgfgAYOja94Fa0SLlH-9Z8i_FywAQw9enncd8qmCFMRCPwLXQF3qpsCvA?testcase_id=6345937736957952 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2017
ClusterFuzz testcase 6345937736957952 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by jialiul@chromium.org
, Dec 3 2016Components: Blink>MemoryAllocator>GarbageCollection
Owner: keishi@chromium.org
Status: Assigned (was: Untriaged)