New issue
Advanced search Search tips

Issue 799663 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::LayoutSVGTransformableContainer::IsChildAllowed

Project Member Reported by ClusterFuzz, Jan 6 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5351949854834688

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::LayoutSVGTransformableContainer::IsChildAllowed
  blink::LayoutTreeBuilderForText::CreateInlineWrapperForDisplayContentsIfNeeded
  blink::LayoutTreeBuilderForText::CreateLayoutObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=526961:526971

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351949854834688

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 6 2018

Components: Blink>DOM Blink>SVG
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 6 2018

Labels: OS-Linux

Comment 3 by f...@opera.com, Jan 8 2018

Cc: futhark@chromium.org
Guessing this is display:contents (tangentially) related based on stack fragment above.
Cc: -futhark@chromium.org
Owner: futhark@chromium.org
Status: Assigned (was: Untriaged)
Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8657d50e4244d0c3824aa2346a5230319bb24751

commit 8657d50e4244d0c3824aa2346a5230319bb24751
Author: Rune Lillesveen <futhark@chromium.org>
Date: Tue Jan 09 22:54:27 2018

Null check GetNode() for SVG layout object children.

With display:contents, we may now insert anonymous inline wrappers
around text layout objects in SVG. That means GetNode() may return
nullptr. That caused crashes in IsChildAllowed() methods which did not
check GetNode() before using it.

Bug:  799663 
Change-Id: Ic3f5ef391585c849b4acd920f1e1a925031e78e7
Reviewed-on: https://chromium-review.googlesource.com/857056
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Fredrik Söderquist <fs@opera.com>
Cr-Commit-Position: refs/heads/master@{#528151}
[add] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/LayoutTests/external/wpt/css/css-display/display-contents-svg-anchor-child.html
[add] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/LayoutTests/external/wpt/css/css-display/display-contents-svg-switch-child.html
[modify] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/Source/core/layout/svg/LayoutSVGInline.cpp
[modify] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/Source/core/layout/svg/LayoutSVGTransformableContainer.cpp

Status: Fixed (was: Started)
Project Member

Comment 8 by ClusterFuzz, Jan 10 2018

ClusterFuzz has detected this issue as fixed in range 528117:528172.

Detailed report: https://clusterfuzz.com/testcase?key=5351949854834688

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::LayoutSVGTransformableContainer::IsChildAllowed
  blink::LayoutTreeBuilderForText::CreateInlineWrapperForDisplayContentsIfNeeded
  blink::LayoutTreeBuilderForText::CreateLayoutObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=526961:526971
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=528117:528172

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351949854834688

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jan 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5351949854834688 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment