New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 732037 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

TextInputController::SetMarkedText() should throw an exception for invalid parameters

Project Member Reported by ClusterFuzz, Jun 10 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4561177744244736

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start <= end (#text "NUMBER"@offsetInAnchor[1] vs. #text "NUMBER"@offsetInAnchor
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Te
  blink::DocumentMarkerController::AddMarkerInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=475812:475824

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561177744244736


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jun 12 2017

Cc: msrchandra@chromium.org
Labels: M-61 Test-Predator-Correct-CLs
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/984f4b2c4df57ae840917a1d79f95a54e68e2c7b
Time: Wed May 31 06:00:29 2017
File TextIterator.cpp is changed in this cl (and is part of stack frame #2, "blink::TextIteratorAlgorithm >::TextIteratorAlgorithm")
Minimum distance from crash line to modified line: 26. (file: TextIterator.cpp, crashed on: 201, modified: 175).

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by msrchandra@chromium.org, Jun 12 2017

Components: Blink>Editing

Comment 3 by yosin@chromium.org, Jun 13 2017

Owner: ----
Status: Available (was: Assigned)
Summary: TextInputController::SetMarkedText() should throw an exception for invalid parameters (was: CHECK failure: start <= end (#text "NUMBER"@offsetInAnchor[1] vs. #text "NUMBER"@offsetInAnchor)
TextInputController#setMarkedText() takes uint32_t for start and end offsets,
we should make TextInputController#setMarkedText() to throw an exception for
invalid start/end offsets.

TextInputController::SetMarkedText(const std::string& text,
                                        int start,
                                        int length);

The issue is caused by following statement:
textInputController.setMarkedText('4294967295', -1, -1073741824);

where static_cast<uint32_t>(-1) > static_cast<uint32_t>(-1 + -1073741824);

Comment 4 by yosin@chromium.org, Jun 14 2017

Labels: -Pri-1 Pri-3
Lower to Pri-3, since this is caused by internal test method instead of real world
application.
Project Member

Comment 5 by ClusterFuzz, Oct 1 2017

Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 6 by ClusterFuzz, Oct 4 2017

Labels: Test-Predator-AutoOwner
Owner: yosin@chromium.org
Status: Assigned (was: Available)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/984f4b2c4df57ae840917a1d79f95a54e68e2c7b (Make TextIterator constructor to take only proper range).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 7 by mbarbe...@chromium.org, Oct 4 2017

Owner: ----
Status: Available (was: Assigned)
Sorry for the reassignment. We just enabled this, but we should be ensuring that we don't assign to someone that's already removed themself as owner. Will fix on the ClusterFuzz side.

Comment 8 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Comment 9 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 8

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by kkaluri@chromium.org, Nov 12

Labels: CF-NeedsTriage
Unable to access the detailed report, hence adding CF-NeedsTriage label

Comment 12 by yosin@chromium.org, Nov 13

Status: Available (was: Untriaged)

Sign in to add a comment