Crash in blink::CSSTokenizer::CSSTokenizer |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4998937252724736 Fuzzer: inferno_twister Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x362d82c0 Crash State: blink::CSSTokenizer::CSSTokenizer blink::CSSParserImpl::ParseStyleSheet blink::CSSParser::ParseSheet Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4998937252724736 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 15 2017
,
Jun 15 2017
,
Jun 17 2017
Another CSS bug with nothing suspicious in the regression range... alancutter, could you help triage please?
,
Jun 18 2017
,
Jun 19 2017
"[4016:3852:0614/212611.322:FATAL:PartitionAllocator.h(37)] Check failed: count <= MaxElementCountInBackingStore<T>() (90352298 vs. 89478314)" Judging by the test case and the error this looks like a simple OOM. Memory team can you confirm this?
,
Jun 19 2017
Yes this looks like the CSS is just too long.
,
Jun 20 2017
,
Jun 20 2017
,
Jul 14 2017
ClusterFuzz testcase 4998937252724736 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Sep 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 15 2017