New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 726992 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit 16 days ago
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows
Pri: 3
Type: Bug



Sign in to add a comment

FontSizeDelta crashes with unusual HTML

Project Member Reported by ClusterFuzz, May 27 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5024537304629248

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000008
Crash State:
  blink::ApplyStyleCommand::ApplyRelativeFontStyleChange
  blink::ApplyStyleCommand::DoApply
  blink::CompositeEditCommand::Apply
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=338684:338816

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5024537304629248


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 27 2017

Labels: OS-Windows
Project Member

Comment 2 by ClusterFuzz, Aug 13 2017

Labels: OS-Android
Components: Blink>Editing

Comment 4 by yosin@chromium.org, Aug 23 2017

Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
Summary: FontSizeDelta crashes with unusual HTML (was: Null-dereference READ in blink::ApplyStyleCommand::ApplyRelativeFontStyleChange)
Lower to Pri-3 since real world usage of FontSizeDelta command is low.
Components: Blink>Editing>Command
Owner: tanvir.r...@samsung.com
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 29 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8650eda37c9394b975b0ed0c7490ee682ea4e457

commit 8650eda37c9394b975b0ed0c7490ee682ea4e457
Author: tanvir.rizvi <tanvir.rizvi@samsung.com>
Date: Thu Mar 29 02:42:30 2018

Process next node before hand while removing unstyled span.

FontSizeDelta command crashes if the
element after text is a span element.

This happens because ApplyStyleCommand tries
to surround the text node with a style span,
since the next node is a span element,
code tries to wrap it in a single node as both
being identical(span elements) making
the other child of the first node and deleting.
Hence the NodeTraversal::Next(*node) gives a
NULL node.
We should not DCHECK as this is possible and
instead break out of the loop.

Bug:  726992 
Change-Id: I83537518e2080c051be10ed7a6be628d3260b1a7
Reviewed-on: https://chromium-review.googlesource.com/973103
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546708}
[modify] https://crrev.com/8650eda37c9394b975b0ed0c7490ee682ea4e457/third_party/WebKit/Source/core/editing/commands/ApplyStyleCommand.cpp
[modify] https://crrev.com/8650eda37c9394b975b0ed0c7490ee682ea4e457/third_party/WebKit/Source/core/editing/commands/ApplyStyleCommandTest.cpp

Project Member

Comment 8 by ClusterFuzz, Apr 11 2018

Status: WontFix (was: Available)
ClusterFuzz testcase 5024537304629248 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment