Issue 717624 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 718386
Owner:	pdr@chromium.org
Closed:	May 2017
Cc:	f...@opera.com █ msrchandra@chromium.org
Components:	Blink>SVG
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz M-59 Test-Predator-Wrong BugSource-Chromium PaintTeamTriaged-20170503

Stack-overflow in blink::LayoutSVGViewportContainer::UpdateLayout

Project Member Reported by ClusterFuzz, May 2 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5108639995265024

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff55912e40
Crash State:
  blink::LayoutSVGViewportContainer::UpdateLayout
  blink::SVGLayoutSupport::LayoutChildren
  blink::LayoutSVGContainer::UpdateLayout
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=450668:450686

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5108639995265024


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by patricia...@chromium.org, May 3 2017

Components: Blink>SVG

Comment 2 by msrchandra@chromium.org, May 3 2017

Cc: msrchandra@chromium.org f...@opera.com
Labels: Test-Predator-Wrong M-59
Owner: pdr@chromium.org
Status: Assigned (was: Untriaged)

Predator and CL did not provide any possible suspects.
Using Code Search for the file, "LayoutSVGViewportContainer.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/81824be93544dd0936c78b5a24a30c07a818a8ea

@pdr -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 3 by schenney@chromium.org, May 3 2017

Labels: BugSource-Chromium PaintTeamTriaged-20170503

Comment 4 by schenney@chromium.org, May 3 2017

Labels: -Pri-1 Pri-2

Stack overflows are not P1.

Comment 5 by pdr@chromium.org, May 9 2017

Mergedinto: 718386
Status: Duplicate (was: Assigned)

This is a bunch of nested <svg> elements. Chris is pumped about 718386 so I'll mark as a dupe.

Project Member

Comment 6 by ClusterFuzz, May 12 2017

ClusterFuzz has detected this issue as fixed in range 471041:471079.

Detailed report: https://clusterfuzz.com/testcase?key=5108639995265024

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Stack-overflow
Crash Address: 0x7fff55912e40
Crash State:
  blink::LayoutSVGViewportContainer::UpdateLayout
  blink::SVGLayoutSupport::LayoutChildren
  blink::LayoutSVGContainer::UpdateLayout
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=450668:450686
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=471041:471079

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5108639995265024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 717624 link

Issue metadata

Stack-overflow in blink::LayoutSVGViewportContainer::UpdateLayout

Issue description

Comment 1 by patricia...@chromium.org, May 3 2017

Comment 1 Deleted

Comment 2 by msrchandra@chromium.org, May 3 2017

Comment 2 Deleted

Comment 3 by schenney@chromium.org, May 3 2017

Comment 3 Deleted

Comment 4 by schenney@chromium.org, May 3 2017

Comment 4 Deleted

Comment 5 by pdr@chromium.org, May 9 2017

Comment 5 Deleted

Comment 6 by ClusterFuzz, May 12 2017

Comment 6 Deleted

Sign in to add a comment