Null-dereference READ in blink::LayoutObject::GetUncachedSelectionStyle |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6697185608728576 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000041 Crash State: blink::LayoutObject::GetUncachedSelectionStyle blink::LayoutObject::SelectionColor blink::TextPainter::SelectionPaintingStyle Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6697185608728576 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2017
wkorman@, could you look at this clusterfuzz failure in selection painting?
,
Jun 12 2017
I am focusing on debugging an animation issue and am OOO soon. Passing to chrishtr@ to route.
,
Jul 5 2017
,
Jul 19 2017
I can reproduce.
,
Jul 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/42ffe285614d4075001600885c577037ac9e64eb commit 42ffe285614d4075001600885c577037ac9e64eb Author: Chris Harrelson <chrishtr@chromium.org> Date: Fri Jul 21 16:23:39 2017 Fix selection painting crash. Bug: 726980 Change-Id: I9b537749a96a617617fdddf98f71cafba4bf2833 Reviewed-on: https://chromium-review.googlesource.com/578462 Commit-Queue: Chris Harrelson <chrishtr@chromium.org> Reviewed-by: Walter Korman <wkorman@chromium.org> Cr-Commit-Position: refs/heads/master@{#488674} [add] https://crrev.com/42ffe285614d4075001600885c577037ac9e64eb/third_party/WebKit/LayoutTests/paint/input/textarea-crash-expected.txt [add] https://crrev.com/42ffe285614d4075001600885c577037ac9e64eb/third_party/WebKit/LayoutTests/paint/input/textarea-crash.html [modify] https://crrev.com/42ffe285614d4075001600885c577037ac9e64eb/third_party/WebKit/Source/core/layout/LayoutObject.cpp
,
Jul 21 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by dtapu...@chromium.org
, Jun 9 2017