Null-dereference READ in blink::DOMPatchSupport::CreateDigest |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6195894826565632 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::DOMPatchSupport::CreateDigest blink::DOMPatchSupport::PatchDocument blink::InspectorDOMAgent::setOuterHTML Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=383194:384380 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195894826565632 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 5 2017
This is a straightforward null deref: The repro is removing the document element from the document and then setting outerHTML. The inspector should check that documentElement is non-null when trying to patch it.
,
Jun 9 2017
,
Jun 27 2017
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 4 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2d2989c3627609fe10338d462b9b7950a277de1b (Rename AtomicString::string() to AtomicString::getString().). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 6 2017
,
Oct 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/778c0bda37c2720351cf06ad8d74eb05d6051c24 commit 778c0bda37c2720351cf06ad8d74eb05d6051c24 Author: Andrey Lushnikov <lushnikov@chromium.org> Date: Tue Oct 31 05:04:49 2017 DevTools: DOM.setOuterHTML should work for detached documents This patch fixes two bugs with DOM.setOuterHTML protocol method: 1. The method didn't work when a document node was passed as an argument 2. The method didn't work when document's element was removed BUG= 724974 R=pfeldman Change-Id: I4f5dd0d9151fd80328af422e9016f63a749b0cf3 Reviewed-on: https://chromium-review.googlesource.com/745325 Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Commit-Queue: Andrey Lushnikov <lushnikov@chromium.org> Cr-Commit-Position: refs/heads/master@{#512750} [add] https://crrev.com/778c0bda37c2720351cf06ad8d74eb05d6051c24/third_party/WebKit/LayoutTests/inspector-protocol/dom/dom-setOuterHTML-detached-document-expected.txt [add] https://crrev.com/778c0bda37c2720351cf06ad8d74eb05d6051c24/third_party/WebKit/LayoutTests/inspector-protocol/dom/dom-setOuterHTML-detached-document.js [modify] https://crrev.com/778c0bda37c2720351cf06ad8d74eb05d6051c24/third_party/WebKit/Source/core/inspector/DOMEditor.cpp
,
Oct 31 2017
,
Nov 7 2017
ClusterFuzz testcase 6195894826565632 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Nov 7 2017
,
Nov 7 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by shrike@chromium.org
, Jun 2 2017