Null-dereference WRITE in blink::LocalFrame::SetIsInert |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5314018360426496 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x00000028 Crash State: blink::LocalFrame::SetIsInert blink::HTMLElement::ParseAttribute blink::Element::AttributeChanged Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=481759:481792 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5314018360426496 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c4570da4971280f5e012ced0a9d13167751035d1 commit c4570da4971280f5e012ced0a9d13167751035d1 Author: kenrb <kenrb@chromium.org> Date: Wed Jun 28 15:39:32 2017 Account for null Document Frame when parsing inert attribute The SetIsInert method was added to Frame objects in r481761, which is called when an inert attribute is parsed on an element within that frame. This CL removes the assumption that the current Document has a valid Frame pointer, because that is sometimes false, such is in a <template>. BUG= 736608 Review-Url: https://codereview.chromium.org/2961643002 Cr-Commit-Position: refs/heads/master@{#482999} [add] https://crrev.com/c4570da4971280f5e012ced0a9d13167751035d1/third_party/WebKit/LayoutTests/fast/html/crash-template-with-inert-attribute-expected.txt [add] https://crrev.com/c4570da4971280f5e012ced0a9d13167751035d1/third_party/WebKit/LayoutTests/fast/html/crash-template-with-inert-attribute.html [modify] https://crrev.com/c4570da4971280f5e012ced0a9d13167751035d1/third_party/WebKit/Source/core/html/HTMLElement.cpp
,
Jun 29 2017
ClusterFuzz has detected this issue as fixed in range 482992:483013. Detailed report: https://clusterfuzz.com/testcase?key=5314018360426496 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x00000028 Crash State: blink::LocalFrame::SetIsInert blink::HTMLElement::ParseAttribute blink::Element::AttributeChanged Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=481759:481792 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=482992:483013 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5314018360426496 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2017
ClusterFuzz testcase 5314018360426496 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by tkent@chromium.org
, Jun 25 2017Owner: kenrb@chromium.org
Status: Assigned (was: Untriaged)