This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This looks like 753179 which was resolved as duplicate of 752715 which was marked 'Fixed' but ClusterFuzz claims that that issue also still reproduces.

My patch will fix this:
https://chromium-review.googlesource.com/c/chromium/src/+/637298

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a689544e6e070aa2d65841ae1bdb25b41cf7489

commit 2a689544e6e070aa2d65841ae1bdb25b41cf7489
Author: yoichio <yoichio@chromium.org>
Date: Fri Sep 08 06:17:37 2017

Avoid crash in LayoutText::LocalSelectionRect()

FrameSelection::LayoutSelectionStart/End() is typed Optional<int>
 and we should not call it when selection is empty.
However, LayoutObject::SelectionState and FrameSelection
 often fall into inconsistency: SelectionState is kStart but no
 selection.
I'm working to clean SelectionState marking but this hits
 Use-of-uninitialized-value issue on Chrome beta.
As small cherry-pick, this CL sets optional value |0| for selection
 offset.

Bug:  759355 
Change-Id: I53f772c91e59dcac84fc0a36afc954545f842e6a
Reviewed-on: https://chromium-review.googlesource.com/651987
Reviewed-by: Koji Ishii <kojii@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500523}
[modify] https://crrev.com/2a689544e6e070aa2d65841ae1bdb25b41cf7489/third_party/WebKit/Source/core/layout/LayoutText.cpp

ClusterFuzz has detected this issue as fixed in range 500520:500531.

Detailed report: https://clusterfuzz.com/testcase?key=4937243612676096

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::LayoutText::LocalSelectionRect
  blink::LayoutText::LocalVisualRect
  blink::PaintInvalidator::InvalidatePaint
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=496838:496881
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=500520:500531

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4937243612676096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4937243612676096 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Approving merge to M62 (branch:3202)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f8392beb452bfaa389a28bf071326b38a0f0fc38

commit f8392beb452bfaa389a28bf071326b38a0f0fc38
Author: yoichio <yoichio@chromium.org>
Date: Tue Sep 12 02:11:46 2017

Avoid crash in LayoutText::LocalSelectionRect()

FrameSelection::LayoutSelectionStart/End() is typed Optional<int>
 and we should not call it when selection is empty.
However, LayoutObject::SelectionState and FrameSelection
 often fall into inconsistency: SelectionState is kStart but no
 selection.
I'm working to clean SelectionState marking but this hits
 Use-of-uninitialized-value issue on Chrome beta.
As small cherry-pick, this CL sets optional value |0| for selection
 offset.

Bug:  759355 
Change-Id: I53f772c91e59dcac84fc0a36afc954545f842e6a
Reviewed-on: https://chromium-review.googlesource.com/651987
Reviewed-by: Koji Ishii <kojii@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#500523}(cherry picked from commit 2a689544e6e070aa2d65841ae1bdb25b41cf7489)
Reviewed-on: https://chromium-review.googlesource.com/662537
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#153}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[modify] https://crrev.com/f8392beb452bfaa389a28bf071326b38a0f0fc38/third_party/WebKit/Source/core/layout/LayoutText.cpp

ClusterFuzz testcase 5701346547466240 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot