Null-dereference READ in blink::LayoutSVGTransformableContainer::IsChildAllowed |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5351949854834688 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::LayoutSVGTransformableContainer::IsChildAllowed blink::LayoutTreeBuilderForText::CreateInlineWrapperForDisplayContentsIfNeeded blink::LayoutTreeBuilderForText::CreateLayoutObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=526961:526971 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351949854834688 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 6 2018
,
Jan 8 2018
Guessing this is display:contents (tangentially) related based on stack fragment above.
,
Jan 8 2018
,
Jan 8 2018
,
Jan 9 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8657d50e4244d0c3824aa2346a5230319bb24751 commit 8657d50e4244d0c3824aa2346a5230319bb24751 Author: Rune Lillesveen <futhark@chromium.org> Date: Tue Jan 09 22:54:27 2018 Null check GetNode() for SVG layout object children. With display:contents, we may now insert anonymous inline wrappers around text layout objects in SVG. That means GetNode() may return nullptr. That caused crashes in IsChildAllowed() methods which did not check GetNode() before using it. Bug: 799663 Change-Id: Ic3f5ef391585c849b4acd920f1e1a925031e78e7 Reviewed-on: https://chromium-review.googlesource.com/857056 Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#528151} [add] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/LayoutTests/external/wpt/css/css-display/display-contents-svg-anchor-child.html [add] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/LayoutTests/external/wpt/css/css-display/display-contents-svg-switch-child.html [modify] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/Source/core/layout/svg/LayoutSVGInline.cpp [modify] https://crrev.com/8657d50e4244d0c3824aa2346a5230319bb24751/third_party/WebKit/Source/core/layout/svg/LayoutSVGTransformableContainer.cpp
,
Jan 9 2018
,
Jan 10 2018
ClusterFuzz has detected this issue as fixed in range 528117:528172. Detailed report: https://clusterfuzz.com/testcase?key=5351949854834688 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::LayoutSVGTransformableContainer::IsChildAllowed blink::LayoutTreeBuilderForText::CreateInlineWrapperForDisplayContentsIfNeeded blink::LayoutTreeBuilderForText::CreateLayoutObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=526961:526971 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=528117:528172 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5351949854834688 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 10 2018
ClusterFuzz testcase 5351949854834688 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 6 2018Labels: Test-Predator-Auto-Components