New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 780931 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug
Team-Accessibility



Sign in to add a comment

Null-dereference READ in blink::AXMenuList::AddChildren

Project Member Reported by ClusterFuzz, Nov 2 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6181520154034176

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::AXMenuList::AddChildren
  blink::AXObject::Children
  blink::AXMenuList::DidUpdateActiveOption
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6181520154034176

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 2 2017

Components: Blink>Accessibility
Labels: Test-Predator-AutoComponents
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Nov 2 2017

Labels: Test-Predator-AutoOwner
Owner: djmix....@samsung.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/cf117f4619c991b812bc17da94305ad86a1217ae (Expose ARIA application for aria-activedescendant ).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
I've update patch-set for current issue as below.

https://chromium-review.googlesource.com/c/chromium/src/+/753167
Labels: Test-Predator-Auto-CC
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner
Labels: -Test-Predator-Auto-CC
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2357fd60fcda8b432ad044e7d218b18abd4cb50

commit f2357fd60fcda8b432ad044e7d218b18abd4cb50
Author: deejay <djmix.kim@samsung.com>
Date: Mon Nov 13 10:02:02 2017

Null dereference in AXMenuList::DidUpdateActiveOption

This fixes a Null-dereference READ error in AXMenuList.

It can get a issue while adding children
in AXObject::UpdateChildrenIfNecessary.
We check HasChildren() before accessing children to fix it.

Bug:  780931 
Change-Id: Ia8442643a7ba06114453084d8208d25393dab865
Reviewed-on: https://chromium-review.googlesource.com/753167
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#515910}
[modify] https://crrev.com/f2357fd60fcda8b432ad044e7d218b18abd4cb50/third_party/WebKit/Source/modules/accessibility/AXMenuList.cpp

Project Member

Comment 9 by ClusterFuzz, Nov 18 2017

ClusterFuzz has detected this issue as fixed in range 514498:517702.

Detailed report: https://clusterfuzz.com/testcase?key=6181520154034176

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::AXMenuList::AddChildren
  blink::AXObject::Children
  blink::AXMenuList::DidUpdateActiveOption
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=514498:517702

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6181520154034176

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Nov 18 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6181520154034176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment