This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 675181  has been merged into this issue.

Issue 675110 has been merged into this issue.

The result is a list of CLs that change the crashed files. 

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f5775c2f04c255de2fe9f68ff8444d3f987901a4
Time: Thu Dec 08 04:12:13 2016
Lines 469 of file HTMLFormElement.cpp which potentially caused crash are changed in this cl (frame #1, "blink::HTMLFormElement::reset").
Minimum distance from crash line to modified line: 0. (file: HTMLFormElement.cpp, crashed on: 468, modified: 468).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/44dd7c1b6106ea96ad8bd134e21f4d933cfda1c0

commit 44dd7c1b6106ea96ad8bd134e21f4d933cfda1c0
Author: tkent <tkent@chromium.org>
Date: Wed Dec 21 02:30:58 2016

Fix a crash in HTMLFormElement::reset() due to <output>.

BUG= 675237 

Review-Url: https://codereview.chromium.org/2588293002
Cr-Commit-Position: refs/heads/master@{#439984}

[add] https://crrev.com/44dd7c1b6106ea96ad8bd134e21f4d933cfda1c0/third_party/WebKit/LayoutTests/fast/forms/form-reset-crash.html
[modify] https://crrev.com/44dd7c1b6106ea96ad8bd134e21f4d933cfda1c0/third_party/WebKit/Source/core/html/HTMLFormElement.cpp

ClusterFuzz has detected this issue as fixed in range 439820:440026.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5636720206020608

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7eed3c9a4488
Crash State:
  blink::HTMLFormElement::reset
  blink::ResetInputType::handleDOMActivateEvent
  blink::HTMLInputElement::defaultEventHandler
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=437123:437180
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=439820:440026

Minimized Testcase (0.32 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95U7VaodAB31U6zQAjptKZ-50IqE38zYjzdHL-ge5j0_Q9z6QKp3IDkXlA8vShxS-vVd76VDyFPCZ2j9r4qpnbX4QoPA3-4oEUOGbMuIy--N9cT6W2n5lmjKXaiCZAHfxc96CaDPe-yPOn-2pYS2Vaenyon2g?testcase_id=5636720206020608
<script>
function jsfuzzer() {
 if(htmlvar00020) htmlvar00020.appendChild(htmlvar00004); 
 htmlvar00005.click(); 
}
function eventhandler3() {
}
</script>
<body onload=jsfuzzer()>
<details id="htmlvar00004">
<input id="htmlvar00005" type="reset">
</details>
<form>
<output>
<param id="htmlvar00020" valuetype="ref"</output>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot