New issue
Advanced search Search tips

Issue 675176 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to blink::LayoutBox from blink::LayoutInline;blink::LayoutInline::addChildIgnoringContinuation;blink::LayoutBox::clientLeft

Project Member Reported by ClusterFuzz, Dec 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6105630088888320

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f30e0c586d8
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutInline
  blink::LayoutInline::addChildIgnoringContinuation
  blink::LayoutBox::clientLeft
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=437599:437697

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97slTpzGA9TWu1ugFFTj7VGjo4zBppOmub_kstUl1MtFtjRBtBF6tv-KXdjWs1QrtUFRGvZJns03R31J23HqtIPvTOlu8SVIX3gbMUA46kxvg1VN7neaiU0AbUYUYNbjSu8dm1hEIhhCZvnAq1H-EbYN6LxrA?testcase_id=6105630088888320
<style>
*{-webkit-line-box-contain:glyphs;display:initial;}
.CLASS6{vertical-align:middle;-webkit-backface-visibility:hidden;}
.CLASS9{bookmark-target:attr(onkeyup);clip-path:url("TODO");</style>
<dl class="CLASS9 CLASS13">
<select class="CLASS6 CLASS14">


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Dec 17 2016

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 17 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 17 2016

Labels: Pri-1
Components: Blink>Layout
Owner: malaykeshav@chromium.org
Status: Assigned (was: Untriaged)
malaykeshav: do you mind taking a look at this?
Project Member

Comment 5 by ClusterFuzz, Dec 28 2016

ClusterFuzz has detected this issue as fixed in range 440808:440829.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6105630088888320

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f30e0c586d8
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutInline
  blink::LayoutInline::addChildIgnoringContinuation
  blink::LayoutBox::clientLeft
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=437599:437697
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=440808:440829

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97slTpzGA9TWu1ugFFTj7VGjo4zBppOmub_kstUl1MtFtjRBtBF6tv-KXdjWs1QrtUFRGvZJns03R31J23HqtIPvTOlu8SVIX3gbMUA46kxvg1VN7neaiU0AbUYUYNbjSu8dm1hEIhhCZvnAq1H-EbYN6LxrA?testcase_id=6105630088888320
<style>
*{-webkit-line-box-contain:glyphs;display:initial;}
.CLASS6{vertical-align:middle;-webkit-backface-visibility:hidden;}
.CLASS9{bookmark-target:attr(onkeyup);clip-path:url("TODO");</style>
<dl class="CLASS9 CLASS13">
<select class="CLASS6 CLASS14">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Dec 28 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6105630088888320 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Dec 28 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 9 by sheriffbot@chromium.org, Apr 5 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment