This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

yoichio@, as an expert in this area, can you PTAL?

ClusterFuzz testcase 4568737616494592 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 492570:492578.

Detailed report: https://clusterfuzz.com/testcase?key=6398326961602560

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6130000b8e00
Crash State:
  blink::LayoutSelection::ClearSelection
  blink::LayoutSelection::Commit
  blink::LayoutView::CommitPendingSelection
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=489272:489278
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=492570:492578

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6398326961602560


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de2e1f7c022b7fe489d08a9e4871049969551de4

commit de2e1f7c022b7fe489d08a9e4871049969551de4
Author: Yoichi Osato <yoichio@chromium.org>
Date: Wed Aug 09 09:27:39 2017

Ensure LayoutSelection has LayoutObjects which have valid SelectionState

LayoutText::setSelectionState(state) propergates |state| to ancestor
LayoutObjects, which can accidentally change start/end LayoutObject state
 in SetShouldInvalidateSelection().
Then LayoutObject::IsSelectionBorder() returns false although we should
 clear selection at LayoutObject::WillBeRemoved().

This patch assigns SelectionState again.
This is work-around patch and I will clean up
 LayoutText::setSelectionState().

Bug:  752715 
Change-Id: I0aed50c08e70e4218e0de2ff31b654e05b43beaa
Reviewed-on: https://chromium-review.googlesource.com/607735
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#492919}
[modify] https://crrev.com/de2e1f7c022b7fe489d08a9e4871049969551de4/third_party/WebKit/Source/core/editing/LayoutSelection.cpp
[modify] https://crrev.com/de2e1f7c022b7fe489d08a9e4871049969551de4/third_party/WebKit/Source/core/editing/LayoutSelectionTest.cpp

ClusterFuzz testcase 6293318500876288 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot