New issue
Advanced search Search tips

Issue 733576 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in blink::CSSTokenizer::CSSTokenizer

Project Member Reported by ClusterFuzz, Jun 15 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4998937252724736

Fuzzer: inferno_twister
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x362d82c0
Crash State:
  blink::CSSTokenizer::CSSTokenizer
  blink::CSSParserImpl::ParseStyleSheet
  blink::CSSParser::ParseSheet
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4998937252724736


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jun 15 2017

Labels: M-60
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 15 2017

Labels: Pri-1
Components: Blink>CSS

Comment 4 by est...@chromium.org, Jun 17 2017

Cc: tkent@chromium.org wangxianzhu@chromium.org
Owner: alancutter@chromium.org
Status: Assigned (was: Untriaged)
Another CSS bug with nothing suspicious in the regression range... alancutter, could you help triage please?

Comment 5 by tkent@chromium.org, Jun 18 2017

Cc: -tkent@chromium.org
Components: -Blink>CSS Blink>MemoryAllocator>Partition
Owner: keishi@chromium.org
"[4016:3852:0614/212611.322:FATAL:PartitionAllocator.h(37)] Check failed: count <= MaxElementCountInBackingStore<T>() (90352298 vs. 89478314)"

Judging by the test case and the error this looks like a simple OOM.
Memory team can you confirm this?

Comment 7 by keishi@chromium.org, Jun 19 2017

Status: WontFix (was: Assigned)
Yes this looks like the CSS is just too long.
Project Member

Comment 8 by ClusterFuzz, Jun 20 2017

Labels: OS-Linux
Project Member

Comment 9 by ClusterFuzz, Jun 20 2017

Labels: OS-Mac
Project Member

Comment 10 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 4998937252724736 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment