Heap-use-after-free in blink::LayoutText::SetText |
|||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5075256523096064 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::LayoutText::SetText blink::LayoutTextFragment::SetTextFragment blink::FirstLetterPseudoElement::DetachLayoutTree Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=474583:474657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5075256523096064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 4 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 4 2017
,
Jun 5 2017
,
Jun 5 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5435657110683648
,
Jun 6 2017
,
Jun 6 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6645803740561408
,
Jun 6 2017
,
Jun 6 2017
Detailed report: https://clusterfuzz.com/testcase?key=6645803740561408 Job Type: linux_asan_content_shell_drt Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61100035f660 Crash State: blink::LayoutText::SetText blink::LayoutTextFragment::SetTextFragment blink::FirstLetterPseudoElement::DetachLayoutTree Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=474149:474177 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6645803740561408 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.
,
Jun 6 2017
,
Jun 6 2017
Actually a use-after-free. Updating severity.
,
Jun 6 2017
,
Jun 9 2017
ClusterFuzz has detected this issue as fixed in range 477959:477971. Detailed report: https://clusterfuzz.com/testcase?key=5075256523096064 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::LayoutText::SetText blink::LayoutTextFragment::SetTextFragment blink::FirstLetterPseudoElement::DetachLayoutTree Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=474583:474657 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=477959:477971 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5075256523096064 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2017
Closing per comment #13.
,
Jul 14 2017
ClusterFuzz testcase 6645803740561408 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Sep 16 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 4 2017