Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4654741847277568 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::TransformBuilder::createTransformOperations blink::StyleBuilderConverter::convertTransformOperations Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=445525:445725 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95bmnIWC2lrz5OtkjCqwhrRmLo7ohyhTobO047-0pIT8YFaYdq9sapbZBsIC0FC6Oy5H9H5kecuIq1HxLXBMV7AguU--cfmgksdE3YCRnHsRZCuFnICVgG1Hlbp2jN5ACPV-0l5j461elgGSqAwb6EJ9cXw3TdtrQCF2Fm3y7gRylIeR-mQRGv-aetqUHr92B9ShE7R5k89rTFtdbnr2DxI3ov-HkgF0xVVBHxD4di9aJo7NrXEXgV4QLIr8XtED_mODBTSlQEDMXOx74uliXtOMnK2ItuTE1CAjqrx7HczpS52AO7d4gx-0fuETvuOqlDDR5-wRrSVWSRM9cm7oJhQOU4O9W4-ddGe38b78VvuNg0fsFJrx1aEkc3Fz6xRAQL_-OuT-4KG4mF8zWH3tX-w3Wp9FQ?testcase_id=4654741847277568 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Through code search on file "/ third_party / WebKit / Source / wtf / Vector.h" Suspected CL https://chromium.googlesource.com/chromium/src/+/4da5a6bc55b8e3909b98f3e0f23d7c5d0cb9ecb8 There is a similar issue 688306 and 687941 issues reported. please duplicate this issue if it is same as any of those bugs. Thank you
Dupe of issue 688306 ?
Most likely, a transform operation taking (or having) no arguments?
My suspicion currently is a transform with a broken argument. I've not been able to repro with the test from issue 688306 (yet, cross_fuzz taking it's time? I don't know...), but I've developed a possible way it could trigger I think...
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d3173fb3e213e658abf34667f130b55b6baac395 commit d3173fb3e213e658abf34667f130b55b6baac395 Author: fs <fs@opera.com> Date: Wed Feb 08 14:54:59 2017 SVGTransformList.consolidate() should return null on an empty list SVGTransformList.consolidate() returns an SVGTransform with type "unknown", which is an invalid object that other parts of the code couldn't cope with. The specification: https://svgwg.org/svg2-draft/coords.html#__svg__SVGTransformList__consolidate say that 'null' should be returned in this case though, so do that instead. Rewrite svg/dom/SVGTransformList-empty-list-consolidation.html to use actually assert this part of the contract, and also convert it use testharness.js while at it. BUG= 688306 , 688303 Review-Url: https://codereview.chromium.org/2681803004 Cr-Commit-Position: refs/heads/master@{#448994} [delete] https://crrev.com/e398e7fd334c08a2cfb805b25b0792fb15e674d3/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation-expected.txt [modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation.html [add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash-expected.txt [add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash.html [modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/Source/core/svg/SVGTransformList.cpp
ClusterFuzz has detected this issue as fixed in range 448971:449002. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4654741847277568 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i < size() in Vector.h blink::TransformBuilder::createTransformOperations blink::StyleBuilderConverter::convertTransformOperations Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=445525:445725 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=448971:449002 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95bmnIWC2lrz5OtkjCqwhrRmLo7ohyhTobO047-0pIT8YFaYdq9sapbZBsIC0FC6Oy5H9H5kecuIq1HxLXBMV7AguU--cfmgksdE3YCRnHsRZCuFnICVgG1Hlbp2jN5ACPV-0l5j461elgGSqAwb6EJ9cXw3TdtrQCF2Fm3y7gRylIeR-mQRGv-aetqUHr92B9ShE7R5k89rTFtdbnr2DxI3ov-HkgF0xVVBHxD4di9aJo7NrXEXgV4QLIr8XtED_mODBTSlQEDMXOx74uliXtOMnK2ItuTE1CAjqrx7HczpS52AO7d4gx-0fuETvuOqlDDR5-wRrSVWSRM9cm7oJhQOU4O9W4-ddGe38b78VvuNg0fsFJrx1aEkc3Fz6xRAQL_-OuT-4KG4mF8zWH3tX-w3Wp9FQ?testcase_id=4654741847277568 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Issue 688306 has been merged into this issue.
Comment 1 by tkent@chromium.org
, Feb 3 2017