New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 728198 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Aug 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 3
Type: Bug



Sign in to add a comment

InsertHorizontalRule crashes with OBJECT tag

Project Member Reported by ClusterFuzz, May 31 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6329901950173184

Fuzzer: bj_broddelwerk
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000010
Crash State:
  blink::RootEditableElement
  blink::DeleteSelectionCommand::RemoveRedundantBlocks
  blink::DeleteSelectionCommand::DoApply
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6329901950173184


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ranjitkan@chromium.org
Labels: M-61 Test-Predator-Correct-CLs
Owner: rlanday@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: rlanday
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275
Time: Thu Apr 13 01:48:25 2017
Files CompositeEditCommand.cpp, DeleteSelectionCommand.cpp are changed in this cl (and is part of stack frame #3, "blink::CompositeEditCommand::ApplyCommandToComposite"; frame #4, "blink::CompositeEditCommand::DeleteSelection"; frame #6, "blink::CompositeEditCommand::Apply")
Minimum distance from crash line to modified line: 62. (file: CompositeEditCommand.cpp, crashed on: 608, modified: 546).

@rlanday: Assigning to you, kindly take a look into it. Please help us to find an owner if not with respect to your change.

Thanks.!
Cc: rlanday@chromium.org
Owner: yosin@chromium.org
I don't think this is related to my change and I'm not familiar with the code in question...passing to yosin@.

It looks like DeleteSelectionCommand::RemoveRedundantBlocks() is getting a nullptr from ending_position_.ComputeContainerNode() and crashing when it tries to dereference the result:
https://chromium.googlesource.com/chromium/src/+/e058730765c6e22261750811bd6587ea4ec1ac37/third_party/WebKit/Source/core/editing/commands/DeleteSelectionCommand.cpp#1038

Comment 3 by yosin@chromium.org, Jun 5 2017

Labels: -Pri-1 Pri-3
Owner: ----
Status: Available (was: Assigned)
Summary: InsertHorizontalRule crashes with OBJECT tag (was: Null-dereference READ in blink::RootEditableElement)
Lowe to Pri-3, since real world usage of InsertHorizontalRule with OBJECT are
very low.
Project Member

Comment 4 by ClusterFuzz, Jul 25 2017

Labels: OS-Linux
Project Member

Comment 5 by ClusterFuzz, Jul 27 2017

Labels: OS-Mac
Project Member

Comment 6 by ClusterFuzz, Aug 21 2017

ClusterFuzz has detected this issue as fixed in range 495551:495853.

Detailed report: https://clusterfuzz.com/testcase?key=6329901950173184

Fuzzer: bj_broddelwerk
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000010
Crash State:
  blink::RootEditableElement
  blink::DeleteSelectionCommand::RemoveRedundantBlocks
  blink::DeleteSelectionCommand::DoApply
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=495551:495853

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6329901950173184

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Aug 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6329901950173184 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment