Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutBlock::dirtyForLayoutFromPercentageHeightDescendants |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4516158662508544 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0xcf72c320 Crash State: blink::LayoutBlock::dirtyForLayoutFromPercentageHeightDescendants blink::LayoutBlockFlow::layoutBlockChildren blink::LayoutBlockFlow::layoutChildren Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=456626:457732 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv945CM4iNTYmqZDf5hKBatxUQyhuURmrpaYogzzNBg0Xqom25qoIGLhDu8u_XwB7elFZxoFKMX9RvGOrHmWIDmEZBReEInJXUR72MEBZ--9L50PvkvQKIiBDAYEzKVLX-tOioJ_3fxTJX27KRk1t8WE25fFwM2q57Yfu4nQCI3u56I82CddwS_TNUSW70PIR8BMLlQzVBPIbtNUKrm5lGsWbNe5el2eLimF0ECIDjMA88ipA3raaZtmyPH7RvDGkw58e5HmfocyPXvd32tubQfKg4JwCsOzFDrPr8wRs6S6i7qJYeY_qR2cpaSyPL07Jq__b560avhRVW7g-JgJjYi--DZF7B15-KXBCqMntakORruasEKYmKYSpbISSqQ2z8a5qXfV9kyBSPS0R2iqujZnDEK4NaA?testcase_id=4516158662508544 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 21 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2017
,
Mar 21 2017
eae: Could you help triage? The regression range is unfortunately large, and I've been through it twice and nothing jumps out as an immediate culprit. Clusterfuzz wasn't able to narrow the regression range, either.
,
Mar 21 2017
You've made some changes here recently rob, any idea what might be causing this?
,
Mar 23 2017
ClusterFuzz has detected this issue as fixed in range 458746:458879. Detailed report: https://clusterfuzz.com/testcase?key=4516158662508544 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0xcf72c320 Crash State: blink::LayoutBlock::dirtyForLayoutFromPercentageHeightDescendants blink::LayoutBlockFlow::layoutBlockChildren blink::LayoutBlockFlow::layoutChildren Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=456626:457732 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=458746:458879 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv945CM4iNTYmqZDf5hKBatxUQyhuURmrpaYogzzNBg0Xqom25qoIGLhDu8u_XwB7elFZxoFKMX9RvGOrHmWIDmEZBReEInJXUR72MEBZ--9L50PvkvQKIiBDAYEzKVLX-tOioJ_3fxTJX27KRk1t8WE25fFwM2q57Yfu4nQCI3u56I82CddwS_TNUSW70PIR8BMLlQzVBPIbtNUKrm5lGsWbNe5el2eLimF0ECIDjMA88ipA3raaZtmyPH7RvDGkw58e5HmfocyPXvd32tubQfKg4JwCsOzFDrPr8wRs6S6i7qJYeY_qR2cpaSyPL07Jq__b560avhRVW7g-JgJjYi--DZF7B15-KXBCqMntakORruasEKYmKYSpbISSqQ2z8a5qXfV9kyBSPS0R2iqujZnDEK4NaA?testcase_id=4516158662508544 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 23 2017
ClusterFuzz testcase 4516158662508544 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 23 2017
,
Apr 7 2017
,
Jun 29 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 21 2017