Heap-use-after-free in blink::InlineFlowBox::RemoveChild |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5728842106011648 Fuzzer: marty_html_twiddler Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 4 Crash Address: 0x6110003ac47c Crash State: blink::InlineFlowBox::RemoveChild blink::LayoutBox::DeleteLineBoxWrapper blink::LayoutObjectChildList::RemoveChildNode Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=490630:490719 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5728842106011648 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 2 2017
,
Aug 2 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2 2017
,
Aug 3 2017
,
Aug 8 2017
Guessing https://chromium.googlesource.com/chromium/src/+/1cb584a78df79b205fa7de04beb28c6f848bde33 based on regression range.
,
Aug 8 2017
,
Aug 8 2017
,
Aug 8 2017
,
Aug 8 2017
Hi Koji, both this and 752447 have first-letter in the test and I see https://chromium.googlesource.com/chromium/src/+/48bdfcea704e04a68f326992545530e7e149da09 in the regression range. Although my CL plays fire with pointers there's no ellipsis in the test so I do suspect yours right now. I won't have a build until tomorrow evening, would you mind ruling your change out first?
,
Aug 8 2017
Will do, agree mine is more likely. Thank you.
,
Aug 8 2017
This one looks mine, reproduces with non-ASAN too. If you have other ones with :first-line, happy to look at. 752447 looks typo?
,
Aug 8 2017
,
Aug 9 2017
> 752447 looks typo? Issue 752477
,
Aug 9 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/67626ab20075007a6dced82ad2886390bd4c4aff commit 67626ab20075007a6dced82ad2886390bd4c4aff Author: Koji Ishii <kojii@chromium.org> Date: Tue Aug 15 16:32:00 2017 Fix InlineBoxWrapper to stay in sync when :first-letter is changed to floats There is a case where applying float to a :first-letter pseudo element does not cause reattaching the layout tree. The original purpose of r490692 (CL:593067) is to ensure LayoutText has the same style as its parent inline box. This patch changes the fix applied only when the pseudo style is inline. Bug: 751147 , 450002 , 507757 , 739800 Change-Id: I38c44dfbfffae114af89d545d7b2e9cf5b4f7b30 Reviewed-on: https://chromium-review.googlesource.com/612222 Reviewed-by: Emil A Eklund <eae@chromium.org> Commit-Queue: Koji Ishii <kojii@chromium.org> Cr-Commit-Position: refs/heads/master@{#494405} [add] https://crrev.com/67626ab20075007a6dced82ad2886390bd4c4aff/third_party/WebKit/LayoutTests/fast/css/first-letter-float-crash-expected.txt [add] https://crrev.com/67626ab20075007a6dced82ad2886390bd4c4aff/third_party/WebKit/LayoutTests/fast/css/first-letter-float-crash.html [modify] https://crrev.com/67626ab20075007a6dced82ad2886390bd4c4aff/third_party/WebKit/Source/core/dom/FirstLetterPseudoElement.cpp
,
Aug 16 2017
,
Aug 16 2017
ClusterFuzz has detected this issue as fixed in range 494077:494482. Detailed report: https://clusterfuzz.com/testcase?key=5728842106011648 Fuzzer: marty_html_twiddler Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 4 Crash Address: 0x6110003ac47c Crash State: blink::InlineFlowBox::RemoveChild blink::LayoutBox::DeleteLineBoxWrapper blink::LayoutObjectChildList::RemoveChildNode Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=490630:490719 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=494077:494482 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5728842106011648 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 16 2017
ClusterFuzz testcase 5063969139326976 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 16 2017
,
Sep 15 2017
,
Sep 15 2017
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 16 2017
Already in M62
,
Oct 5 2017
,
Nov 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 2 2017