Null-dereference READ in content::WidgetInputHandlerManager::GetWidgetInputHandlerHost |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5093946152976384 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: content::WidgetInputHandlerManager::GetWidgetInputHandlerHost content::RenderWidget::OnDidOverscroll content::RenderWidgetInputHandler::DidOverscrollFromBlink Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=519312:519325 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5093946152976384 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 27 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dc8d14d9a16b28d12b8380d0a5490fe4a747a65a (Enable mojo input messages on all platforms other than Android webview.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 28 2017
ClusterFuzz has detected this issue as fixed in range 519404:519436. Detailed report: https://clusterfuzz.com/testcase?key=5093946152976384 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: content::WidgetInputHandlerManager::GetWidgetInputHandlerHost content::RenderWidget::OnDidOverscroll content::RenderWidgetInputHandler::DidOverscrollFromBlink Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=519312:519325 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=519404:519436 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5093946152976384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 28 2017
ClusterFuzz testcase 5093946152976384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/84c0905079cba6b4977956949c6d22ac57c85761 commit 84c0905079cba6b4977956949c6d22ac57c85761 Author: Dave Tapuska <dtapuska@chromium.org> Date: Tue Nov 28 18:10:05 2017 Fix nullptr access with MojoInputMessages on. With event sender input is possibly injected solely on the main thread and a host may not be bound yet. So protect against null host objects on the main thread. BUG= 788886 Change-Id: I6b8d1449ce01e3a1f0872133440839fa445d1567 Reviewed-on: https://chromium-review.googlesource.com/793971 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Cr-Commit-Position: refs/heads/master@{#519746} [modify] https://crrev.com/84c0905079cba6b4977956949c6d22ac57c85761/content/renderer/input/widget_input_handler_manager.cc [modify] https://crrev.com/84c0905079cba6b4977956949c6d22ac57c85761/content/renderer/render_widget.cc |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Nov 27 2017Labels: Test-Predator-Auto-Components