New issue
Advanced search Search tips

Issue 788053 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
yosin@chromium.org
shend@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 3
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::IsTabHTMLSpanElement

Project Member Reported by ClusterFuzz, Nov 23 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5974060818497536

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  blink::IsTabHTMLSpanElement
  blink::EditingStyle::Init
  blink::EditingStyle::Create
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=506675:506834

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5974060818497536

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Nov 23 2017

Components: Blink>Editing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Nov 23 2017

Labels: Test-Predator-Auto-Owner
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/52d55d36c78e4772e0e3499409dc6f6dcabde00e (Make InsertText command not to split SPAN element containing TAB character).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by xiaoche...@chromium.org, Nov 23 2017 

So it's like we can get null Node::ComputedStyle even with clean style?

Comment 4 by xiaoche...@chromium.org, Nov 28 2017

Labels: -Pri-1 Pri-3
This looks like P3. The HTML pattern required is very unusual.

Minimal repro:

<p>foo</p>
<label><option><input></option></label>
<script>
document.designMode = 'on';
document.execCommand("selectAll");
document.execCommand("InsertText", false, "\t");
</script>

DOM tree when the null-deref happens:

BODY (editable) (focused)
	LABEL (editable)
		OPTION (editable)
			#shadow-root(UserAgent)
*			SPAN style="white-space:pre" (editable)
				#text "\t"
			BR (editable)
			INPUT (editable)
				#shadow-root(UserAgent)
					DIV

Comment 5 by yosin@chromium.org, Dec 6 2017

Components: -Blink>Editing Blink>Editing>Command
Status: Available (was: Assigned)

Comment 6 by yosin@chromium.org, Dec 6 2017

Owner: ----

Comment 7 by yosin@chromium.org, Dec 6 2017

Cc: shend@chromium.org yosin@chromium.org
 Issue 791609  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Dec 8 2017

Labels: OS-Windows
Project Member

Comment 9 by ClusterFuzz, Jan 23 2018

Status: WontFix (was: Available)
ClusterFuzz testcase 6599738064633856 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Jan 25 2018 

ClusterFuzz has detected this issue as fixed in range 531491:531492.

Detailed report: https://clusterfuzz.com/testcase?key=5974060818497536

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  blink::IsTabHTMLSpanElement
  blink::EditingStyle::Init
  blink::EditingStyle::Create
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=506675:506834
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=531491:531492

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5974060818497536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment