New issue
Advanced search Search tips

Issue 801885 link

Starred by 1 user
Status: WontFix
Owner:
aleventhal@chromium.org
Closed: Jan 2018
Cc:
aboxhall@chromium.org
dmazz...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security
Team-Accessibility



Sign in to add a comment

Bad-cast to blink::LayoutTableCell from blink::LayoutFlexibleBox in blink::AXTableCell::ScanToDecideHeaderRole

Project Member Reported by ClusterFuzz, Jan 14 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6634744245911552

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x00babbe04150
Crash State:
  Bad-cast to blink::LayoutTableCell from blink::LayoutFlexibleBox
  blink::AXTableCell::ScanToDecideHeaderRole
  blink::AXObject::Init
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=500415:500470

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6634744245911552

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 14 2018

Components: Blink>Accessibility
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 14 2018

Labels: Test-Predator-Auto-Owner
Owner: aleventhal@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e390302d58681b827ab20c148b0dadccf06dbf19 (Tables with extra wrapping elements can have incorrect row/col info).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 14 2018

Labels: M-63
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 14 2018

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 28 2018 

aleventhal: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by ClusterFuzz, Jan 28 2018

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6634744245911552 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, May 7 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment