New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 727335 link

Starred by 1 user
Status: WontFix
Owner:
nainar@chromium.org
Not on Chrome anymore
Closed: Sep 2017
Cc:
nainar@chromium.org
msrchandra@chromium.org
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Node::GetLayoutBox

Project Member Reported by ClusterFuzz, May 29 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5166608866869248

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::GetLayoutBox
  blink::LayoutSlider::UpdateLayout
  blink::LocalFrameView::PerformLayout
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=373065:373191

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5166608866869248


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, May 31 2017

Cc: ranjitkan@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: nainar@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: nainar
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2f631c11f8e8f80c2373a6da4e4c24f7337ea55e
Time: Fri Apr 14 00:23:19 2017
The CL last changed line 626 of file Node.h, which is stack frame 2. 

@nainar - Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by ranjitkan@chromium.org, May 31 2017

Labels: M-61

Comment 3 by dtapu...@chromium.org, Jun 9 2017

Components: Blink>Layout

Comment 4 by e...@chromium.org, Jun 19 2017

Labels: -Pri-1 Pri-2
Not a security issue and no reports in the wild, adjusting priority.

Comment 5 by nainar@chromium.org, Jul 14 2017

Cc: msrchandra@chromium.org nainar@chromium.org
 Issue 727042  has been merged into this issue.
Project Member

Comment 6 by ClusterFuzz, Jul 14 2017

Labels: OS-Mac
Project Member

Comment 7 by ClusterFuzz, Jul 16 2017

Labels: OS-Windows
Project Member

Comment 8 by ClusterFuzz, Sep 11 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5166608866869248 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by ClusterFuzz, Sep 18 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6435193677414400 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment