Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutText::SetText |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4583026007998464 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e00008bf80 Crash State: blink::LayoutText::SetText blink::LayoutText::SetTextWithOffset blink::Text::UpdateTextLayoutObject Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=474583:474657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4583026007998464 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2017
,
Jun 12 2017
,
Jun 13 2017
aboxhall, could you please take a look? Might be related to https://codereview.chromium.org/2088453002
,
Jun 21 2017
ClusterFuzz has detected this issue as fixed in range 480776:480824. Detailed report: https://clusterfuzz.com/testcase?key=4583026007998464 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e00008bf80 Crash State: blink::LayoutText::SetText blink::LayoutText::SetTextWithOffset blink::Text::UpdateTextLayoutObject Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=474583:474657 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=480776:480824 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4583026007998464 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2017
ClusterFuzz testcase 4583026007998464 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 21 2017
,
Jun 23 2017
,
Jun 23 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 23 2017
Approving merge to M60.
,
Jun 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/303e0e83015674dec5bf2fc1a5eafe2871e867ee commit 303e0e83015674dec5bf2fc1a5eafe2871e867ee Author: Takayoshi Kochi <kochi@chromium.org> Date: Mon Jun 26 04:55:46 2017 Only call TextChanged on existing AXObjects. This avoids triggering the code which calls UpdateDistribution as part of creating a new AXObject, which was causing issues. This change should cause no behaviour changes, as in cases where an AXObject needs to be created for a text node, its parent will also have a ChildrenChanged notification fired on it, which will cause the appropriate updates to fire. Reverts https://codereview.chromium.org/2926713002/ as the code which causes UpdateDistribution to be called should never run with this change, so we don't need to check whether distribution is dirty any more. BUG= 729229 , 732200 , 734348 Review-Url: https://codereview.chromium.org/2939933002 Cr-Original-Commit-Position: refs/heads/master@{#480792} Review-Url: https://codereview.chromium.org/2957733002 . Cr-Commit-Position: refs/branch-heads/3112@{#464} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/content/test/data/accessibility/event/menulist-collapse-expected-win.txt [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/accessibility/contenteditable-notifications.html [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/accessibility/presentation-owned-elements.html [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/resources/accessibility-helper.js [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/core/layout/LayoutMenuList.cpp [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuList.cpp [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuListPopup.cpp [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuListPopup.h [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXObjectCacheImpl.cpp [modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXObjectCacheImpl.h
,
Jul 6 2017
,
Sep 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 12 2017