Null-dereference READ in blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6094501159632896 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000025 Crash State: blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition blink::RootInlineBox::ClosestLeafChildForPoint blink::NextLinePosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=387407:387538 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6094501159632896 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2017
Predator and CL could not provide any possible suspects. Using Code Search for the file, "RootInlineBox.cpp" assigning to the concern owner. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/12d918f97bd71b6e0d6e70ee480d000f769da669 @yoichio -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jun 23 2017
Reproduced on Version 61.0.3138.0 (Official Build) canary (64-bit) but the case html is dirty and issue is not security, P3.
,
Aug 16 2017
,
Sep 28 2017
ClusterFuzz testcase 6094501159632896 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 22 2017