New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 726209 link

Starred by 1 user
Status: Fixed
Owner:
aleventhal@chromium.org
Closed: May 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug
Team-Accessibility



Sign in to add a comment

Null-dereference READ in blink::AXNodeObject::NativeAccessibilityRoleIgnoringAria

Project Member Reported by ClusterFuzz, May 25 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6290127533113344

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000140
Crash State:
  blink::AXNodeObject::NativeAccessibilityRoleIgnoringAria
  blink::AXNodeObject::DetermineAccessibilityRole
  blink::AXNodeObject::Init
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=474287:474307

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6290127533113344


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by ClusterFuzz, May 25 2017

Labels: OS-Windows

Comment 2 by msrchandra@chromium.org, May 25 2017

Cc: msrchandra@chromium.org
Components: UI>Accessibility
Labels: M-60 Test-Predator-Correct-CLs
Owner: aleventhal@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: aleventhal
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5730ebb5038385964944377c1256244068b134d1
Time: Wed May 24 15:51:21 2017
Lines 546 of file AXNodeObject.cpp which potentially caused crash are changed in this cl (frame #1, "blink::AXNodeObject::NativeAccessibilityRoleIgnoringAria").
Minimum distance from crash line to modified line: 0. (file: AXNodeObject.cpp, crashed on: 543, modified: 543).

@aleventhal -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 3 by bugdroid1@chromium.org, May 25 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f03309fde80e0cf33cb99519d2716cb5160aac6

commit 7f03309fde80e0cf33cb99519d2716cb5160aac6
Author: aleventhal <aleventhal@chromium.org>
Date: Thu May 25 17:43:43 2017

Fix null ptr exception

BUG= 726209 

Review-Url: https://codereview.chromium.org/2905053002
Cr-Commit-Position: refs/heads/master@{#474692}

[modify] https://crrev.com/7f03309fde80e0cf33cb99519d2716cb5160aac6/third_party/WebKit/Source/modules/accessibility/AXNodeObject.cpp

Comment 4 by aleventhal@chromium.org, May 25 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, May 26 2017 

ClusterFuzz has detected this issue as fixed in range 474686:474713.

Detailed report: https://clusterfuzz.com/testcase?key=6290127533113344

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000140
Crash State:
  blink::AXNodeObject::NativeAccessibilityRoleIgnoringAria
  blink::AXNodeObject::DetermineAccessibilityRole
  blink::AXNodeObject::Init
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=474287:474307
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=474686:474713

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6290127533113344


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment