nullptr deref in blink::isVisuallyEquivalentCandidate |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5695524545232896 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::isVisuallyEquivalentCandidate blink::canonicalPositionOf blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=450347:450401 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv941WI5N-_vl7LB_X8yv2FSFdTMl_MauJHpvakD1GjXad_5CXsvr1GpAkckxbjY19rQYMq5la6mJtTNVfdZxVT8GKQotN476Lk1xqgeBPKEFnQQt2gD0vG-8RX45SIDZtn1yRM28emDsvIooFzDpS0vN-WRN8uQwig3m-Wlqd8uDoqMDUP7ccskxmxnaRLSswhDhxzCBg3w302HLe_PuiE2kGOmBQL1hvMgojpobn-cnlWawapr6-xgnqYaVCQG1gC-RYke3gBUUhiqO0cCdeRJvl0hY2qWr3Q2kBpPC-pFxLmLUdBn0uUCg0rUGc7awAB_bZlLeklhlS7DbdQ0TY4sa8kSVad7PAkNFMRZy4rVUh_a5kH0?testcase_id=5695524545232896 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 7 2017
It's a nullptr deref in isVisuallyEquivalentCandidateAlgorithm:
if (isDisplayInsideTable(anchorNode) || editingIgnoresContent(*anchorNode)) {
if (!position.atFirstEditingPositionForNode() &&
!position.atLastEditingPositionForNode())
return false;
const Node* parent = Strategy::parent(*anchorNode); // |parent| can be nullptr!
--> return parent->layoutObject() && parent->layoutObject()->isSelectable();
}
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455392. Detailed report: https://clusterfuzz.com/testcase?key=5695524545232896 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::isVisuallyEquivalentCandidate blink::canonicalPositionOf blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=450347:450401 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=455091:455392 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv941WI5N-_vl7LB_X8yv2FSFdTMl_MauJHpvakD1GjXad_5CXsvr1GpAkckxbjY19rQYMq5la6mJtTNVfdZxVT8GKQotN476Lk1xqgeBPKEFnQQt2gD0vG-8RX45SIDZtn1yRM28emDsvIooFzDpS0vN-WRN8uQwig3m-Wlqd8uDoqMDUP7ccskxmxnaRLSswhDhxzCBg3w302HLe_PuiE2kGOmBQL1hvMgojpobn-cnlWawapr6-xgnqYaVCQG1gC-RYke3gBUUhiqO0cCdeRJvl0hY2qWr3Q2kBpPC-pFxLmLUdBn0uUCg0rUGc7awAB_bZlLeklhlS7DbdQ0TY4sa8kSVad7PAkNFMRZy4rVUh_a5kH0?testcase_id=5695524545232896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz testcase 5695524545232896 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dtapu...@chromium.org
, Mar 7 2017