Null-dereference READ in blink::LocalFrame::GetInterfaceProvider |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4848851357007872 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x0000002c Crash State: blink::LocalFrame::GetInterfaceProvider blink::ImageCapture::ImageCapture blink::ImageCapture::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=486641:486689 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4848851357007872 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 28 2017
It's likely the ImageCapture code that's most relevant here, assigning to one of the ImageCapture OWNERS.
,
Jul 28 2017
Thanks. It is most likely that GetFrame() is returning nullptr here which means that the frame has been detached. I will look into whether this code is reachable in this state and what checks we need to add to ensure that we don't try to call GetInterfaceProvider() in this case.
,
Jul 28 2017
It appears that CanvasCaptureMediaStreamTrack::CanvasCaptureMediaStreamTrack constructs a MediaStreamTrack (and in turn an ImageCapture) based on the ExecutionContext of the HTMLCanvasElement which may be from a detached frame so I will resolve this issue by adding the necessary checks before attempting to use the frame.
,
Jul 29 2017
Basic fix out for review: https://chromium-review.googlesource.com/c/592649/
,
Jul 31 2017
,
Aug 1 2017
,
Aug 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/88d43ade0a4fc555a46be1794abfafd8f4aec919 commit 88d43ade0a4fc555a46be1794abfafd8f4aec919 Author: Reilly Grant <reillyg@chromium.org> Date: Wed Aug 02 02:32:12 2017 Check for detached frame when creating ImageCapture An ImageCapture object may be created from an HTMLElement that is part of a context that has already been destroyed. Check to see if the frame has been detached before trying to access the interface provider. Bug: 749499 Change-Id: I25838392413b218212fe2cb16a119d4379bea659 Reviewed-on: https://chromium-review.googlesource.com/592649 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#491233} [add] https://crrev.com/88d43ade0a4fc555a46be1794abfafd8f4aec919/third_party/WebKit/LayoutTests/imagecapture/detached-HTMLCanvasElement.html [modify] https://crrev.com/88d43ade0a4fc555a46be1794abfafd8f4aec919/third_party/WebKit/Source/modules/imagecapture/ImageCapture.cpp
,
Aug 2 2017
ClusterFuzz has detected this issue as fixed in range 491211:491244. Detailed report: https://clusterfuzz.com/testcase?key=4848851357007872 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x0000002c Crash State: blink::LocalFrame::GetInterfaceProvider blink::ImageCapture::ImageCapture blink::ImageCapture::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=486641:486689 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=491211:491244 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4848851357007872 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 2 2017
ClusterFuzz testcase 4848851357007872 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by msrchandra@chromium.org
, Jul 28 2017Labels: M-62 Test-Predator-Wrong
Owner: rbyers@chromium.org
Status: Assigned (was: Untriaged)