Issue metadata
Sign in to add a comment
|
Heap-use-after-free in cc::SurfaceManager::Destroy |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5645303261954048 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x2922158f Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::EvictSurface cc::CompositorFrameSinkSupport::~CompositorFrameSinkSupport Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=440968:440977 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97e0ybbs6k3RdITGJsCka8beev6rcdrFlGvUSiTSk_cfI58xn8GRbSnvzEKGaT9un4pn2rAagRN3tneYeF4Z4OQbq5PR9PIDmxn40QWawTj-qF5PhF-zk2klr9Wfpd6ywyn5Za-fC0MavCNCO41ANCoPNuKtXq7oUCephpFw0vDHylLn3KJQvpVRcqey2zdZFbB-42eTOkAU1uQrd6T26aamOE4OzntkO9APbkGBpXw6RXLk7t2YrxsFwR9G0uV1TfzvjNLuCTq-bXMinuOsiIcgW3k8QWIX3oa1Ipt_YLUAl2yq3FEcs68bW-hVtfC03GHlA5pckBkxg1wNxCK6YoHQJAHDB3drCMe7cpC_qaYKEoFBlc?testcase_id=5645303261954048 </title> <script> var canvas = document.createElement('canvas'); var offscreen = canvas.transferControlToOffscreen(); var ctx = offscreen.getContext('2d'); ctx.commit(); </script> Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 30 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 30 2016
,
Dec 31 2016
,
Jan 2 2017
fsamuel@, would you mind taking a look? Please feel free to re-assign if you are not a good owner for this.
,
Jan 2 2017
,
Jan 3 2017
,
Jan 12 2017
ClusterFuzz has detected this issue as fixed in range 441510:441524. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5645303261954048 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x2922158f Crash State: cc::SurfaceManager::Destroy cc::SurfaceFactory::EvictSurface cc::CompositorFrameSinkSupport::~CompositorFrameSinkSupport Memory Tool: SYZYASAN Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=440968:440977 Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=441510:441524 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97e0ybbs6k3RdITGJsCka8beev6rcdrFlGvUSiTSk_cfI58xn8GRbSnvzEKGaT9un4pn2rAagRN3tneYeF4Z4OQbq5PR9PIDmxn40QWawTj-qF5PhF-zk2klr9Wfpd6ywyn5Za-fC0MavCNCO41ANCoPNuKtXq7oUCephpFw0vDHylLn3KJQvpVRcqey2zdZFbB-42eTOkAU1uQrd6T26aamOE4OzntkO9APbkGBpXw6RXLk7t2YrxsFwR9G0uV1TfzvjNLuCTq-bXMinuOsiIcgW3k8QWIX3oa1Ipt_YLUAl2yq3FEcs68bW-hVtfC03GHlA5pckBkxg1wNxCK6YoHQJAHDB3drCMe7cpC_qaYKEoFBlc?testcase_id=5645303261954048 </title> <script> var canvas = document.createElement('canvas'); var offscreen = canvas.transferControlToOffscreen(); var ctx = offscreen.getContext('2d'); ctx.commit(); </script> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 27 2017
,
Apr 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Dec 30 2016