Null-dereference READ in blink::ReplaceSelectionCommand::DoApply |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5690090776166400 Fuzzer: inferno_twister_c Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ReplaceSelectionCommand::DoApply blink::CompositeEditCommand::Apply blink::ExecuteInsertHTML Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5690090776166400 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 6 2017
Predator and CL could not provide any possible suspects. Using the code search for the file, “CompositeEditCommand.cpp” assigning to concern owner from GIT revision log. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/3fbe9a95423930b2c3c592551d57446c76c924ad @tanvir.rizvi -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4306d8180795bb89b22ccec20c6ff9a1b2acfaa1 commit 4306d8180795bb89b22ccec20c6ff9a1b2acfaa1 Author: tanvir.rizvi <tanvir.rizvi@samsung.com> Date: Fri Nov 17 17:13:08 2017 [ClusterFuzz] crash in replaceSelectionCommand ReplaceSelectionCommand crashes if InsertHTML content have trailing non visible content. This happens as the nextAncesstorSibling comes as null This CL does the safety check to prevent the crash observed in this scenario. Bug: 781282 Change-Id: Ibb886956dafcdfaadac4dd2ee6b6c1ef70ad8340 Reviewed-on: https://chromium-review.googlesource.com/768550 Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#517437} [modify] https://crrev.com/4306d8180795bb89b22ccec20c6ff9a1b2acfaa1/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp [modify] https://crrev.com/4306d8180795bb89b22ccec20c6ff9a1b2acfaa1/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommandTest.cpp
,
Nov 18 2017
ClusterFuzz has detected this issue as fixed in range 514498:517702. Detailed report: https://clusterfuzz.com/testcase?key=5690090776166400 Fuzzer: inferno_twister_c Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ReplaceSelectionCommand::DoApply blink::CompositeEditCommand::Apply blink::ExecuteInsertHTML Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=514498:517702 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5690090776166400 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 18 2017
ClusterFuzz testcase 5690090776166400 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Nov 3 2017Labels: Test-Predator-AutoComponents