New issue
Advanced search Search tips

Issue 680424 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in cc::SurfaceManager::UnregisterSurfaceFactoryClient

Project Member Reported by ClusterFuzz, Jan 12 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5367912140636160

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x291255f3
Crash State:
  cc::SurfaceManager::UnregisterSurfaceFactoryClient
  cc::CompositorFrameSinkSupport::~CompositorFrameSinkSupport
  content::OffscreenCanvasCompositorFrameSink::~OffscreenCanvasCompositorFrameSink
  
Memory Tool: SYZYASAN

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=441510:441524

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv973hmFuFTXjXooaq3zWz_ILLHWYPbIf2sagBPHb87AZIDVexcjqyL4AEz-2VNgp0SiQW4qa93-l7Xx6uypwZ8-M7-6VxlQHQScmiZhV85m6cqnAhJR9GIM5DMcgIXW_TIemcxPWs6C0sEG5wZayslranZ0quYpDf_91ivzntRF94KLevpLcgvlLj_cSyUXtwdDb3OLj-SUAnL3HwIfrLZD0NgkuTc9XHIRRLI-5cRnH3KY1J6YC_8-VJCNEtJhzhCVWK0PHx-Z15ZjY2wZjZLz_gIN6VxkkV34O6UyzVvhIBDvwQy1C3YS5KYCzR4ZL8V6f-kj3QYtSUBCpDxKn4j6JEGzgXVhmFKWRAFqGUiL5tOuc4YVwy-przzVj7bJ2CYNOw5aqONMfIO0vp8UsSwMtjH_f6g?testcase_id=5367912140636160


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 12 2017

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 12 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 12 2017

Labels: Pri-1
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 13 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by mbarbe...@chromium.org, Jan 13 2017

Status: WontFix (was: Untriaged)
Flaky test case and nothing looks suspicious in the regression range. Since it hasn't happened again today just closing this for now. CF will refile if it happens again.

Comment 6 by awhalley@chromium.org, Jan 27 2017

Labels: -ReleaseBlock-Beta
Project Member

Comment 7 by sheriffbot@chromium.org, Apr 22 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment