Issue 726999 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	kojii@chromium.org
Closed:	Jun 2017
Components:	Blink>Layout
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz

Null-dereference READ in blink::RootInlineBox::AscentAndDescentForBox

Project Member Reported by ClusterFuzz, May 27 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5334300814999552

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000030
Crash State:
  blink::RootInlineBox::AscentAndDescentForBox
  blink::InlineFlowBox::ComputeLogicalBoxHeights
  blink::RootInlineBox::AlignBoxesInBlockDirection
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=475215:475230

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5334300814999552


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by dtapu...@chromium.org, Jun 9 2017

Components: Blink>Layout

Comment 2 by e...@chromium.org, Jun 16 2017

Owner: kojii@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by e...@chromium.org, Jun 27 2017

Status: WontFix (was: Assigned)

No longer reproducible either manually, using clusterfuzz reproduce or by clusterfuzz itself. We now have an early abort if root_box is null.

Closing.

►

Issue 726999 link

Issue metadata

Null-dereference READ in blink::RootInlineBox::AscentAndDescentForBox

Issue description

Comment 1 by dtapu...@chromium.org, Jun 9 2017

Comment 1 Deleted

Comment 2 by e...@chromium.org, Jun 16 2017

Comment 2 Deleted

Comment 3 by e...@chromium.org, Jun 27 2017

Comment 3 Deleted

Sign in to add a comment