Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::FloatingObject::FloatingObject |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5254114230665216 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x03840134 Crash State: blink::FloatingObject::FloatingObject blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=444945:444973 Minimized Testcase (1.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97E7lud9yJw7r1cwRdeI6dGLSIizI8SovWPgrofuFllNqS5spzv8pgZ9fvhZnD9nFnaCJ0uc490PYgRrxLNFfxf2wfFB58xOdF4AO4iY6r-JzZ45xH91Bx6nkUXxCbaHGoMMiyKadNHA3hQkzUS3l_4RQiPnSiTdxK1vyC1GjXeud5WGQqxMCetoSxFYAxEoCIFCO46k9uNJgkVeXhEpixhhiw4zbRi0nXk13sGmQf1cOPCa4LoO5agftF9wEYp9Py5vDoUxhFJkNVopflRFPxlPO01BVNLUovu464tFzSwr3_RmOTDDtPf3sHHxEbt3nRP44l12EpU5obIQ5BYjl0mYoNNlR9Mk8eWYJFsmJNjvQYAueM?testcase_id=5254114230665216 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 20 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20 2017
,
Jan 23 2017
A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!
,
Jan 23 2017
robhogan, could you please take a look at this bug? It looks like it's quite possibly related to https://codereview.chromium.org/2329863002. Thanks!
,
Jan 23 2017
,
Jan 25 2017
[Bulk edit] A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!
,
Jan 26 2017
ClusterFuzz testcase 4533190279823360 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 26 2017
,
Jan 26 2017
,
Jan 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fa2a16567af6fc774c0a9fe44fb53eb5135056b0 commit fa2a16567af6fc774c0a9fe44fb53eb5135056b0 Author: robhogan <robhogan@gmail.com> Date: Thu Jan 26 19:56:40 2017 Clear out the float-lists from a ruby base when moving its children A follow up to https://codereview.chromium.org/2329863002 and https://codereview.chromium.org/2645473004. When moving children from one base to another clear down the float lists of all descendants - seems like 'it's the only way to be sure'. BUG= 683104 Review-Url: https://codereview.chromium.org/2653113002 Cr-Commit-Position: refs/heads/master@{#446410} [add] https://crrev.com/fa2a16567af6fc774c0a9fe44fb53eb5135056b0/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-moved-crash-2-expected.txt [add] https://crrev.com/fa2a16567af6fc774c0a9fe44fb53eb5135056b0/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-moved-crash-2.html [modify] https://crrev.com/fa2a16567af6fc774c0a9fe44fb53eb5135056b0/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp
,
Jan 27 2017
,
Jan 28 2017
,
Jan 28 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 30 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 30 2017
Please merge your change to M57 branch 2987 ASAP.If merge happens today before 5:00 PM PT, then we can take it for tomorrow's last M57 Dev release. Thank you.
,
Jan 30 2017
Has the fix been verified on canary yet?
,
Jan 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/47603830c84360e6074df0d3e6b1c74f99a4bd3a commit 47603830c84360e6074df0d3e6b1c74f99a4bd3a Author: Robert Hogan <robhogan@gmail.com> Date: Mon Jan 30 19:46:01 2017 Clear out the float-lists from a ruby base when moving its children A follow up to https://codereview.chromium.org/2329863002 and https://codereview.chromium.org/2645473004. When moving children from one base to another clear down the float lists of all descendants - seems like 'it's the only way to be sure'. BUG= 683104 Review-Url: https://codereview.chromium.org/2653113002 Cr-Commit-Position: refs/heads/master@{#446410} (cherry picked from commit fa2a16567af6fc774c0a9fe44fb53eb5135056b0) Review-Url: https://codereview.chromium.org/2659303004 . Cr-Commit-Position: refs/branch-heads/2987@{#173} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [add] https://crrev.com/47603830c84360e6074df0d3e6b1c74f99a4bd3a/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-moved-crash-2-expected.txt [add] https://crrev.com/47603830c84360e6074df0d3e6b1c74f99a4bd3a/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-moved-crash-2.html [modify] https://crrev.com/47603830c84360e6074df0d3e6b1c74f99a4bd3a/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp
,
Jan 31 2017
,
May 7 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 20 2017