Null-dereference READ in SVGContainerPainter::Paint |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4877281932345344 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000068 Crash State: chrome blink::SVGContainerPainter::Paint blink::LayoutSVGContainer::Paint Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=537426:537470 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4877281932345344 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 18 2018
Automatically adding ccs based on suspected regression changelists: canvas: Avoid unnecessary book-keeping of images in CanvasImageProvider. by khushalsagar@chromium.org - https://chromium.googlesource.com/chromium/src/+/cde9d1d1e464957716e4e15f44810fe28753e4df [PE] Add a test case for crbug.com/809102 by wangxianzhu@chromium.org - https://chromium.googlesource.com/chromium/src/+/4926f8217a1795cedffc9c64113eb7944b0cf504 If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Feb 20 2018
SPv1.75 code path. Null reads not P1.
,
Feb 21 2018
,
Feb 21 2018
,
Feb 21 2018
,
Feb 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1d3c50f6f1b3289411d1050487efd874ad84f0ca commit 1d3c50f6f1b3289411d1050487efd874ad84f0ca Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Wed Feb 21 20:50:20 2018 [SPv175+] SetNeedsPaintPropertyUpdate on overflow property change for SVGForeignObject and SVGViewportContainer The overflow rule is special for SVGForeignObject and SVGViewportContainer, and their changes to update paint properties were not covered by existing overflow clip change logic. They need special handling. Bug: 813411 , 813466 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I18b54c5cf249fd63765b191d80e9a5c96b446a04 Reviewed-on: https://chromium-review.googlesource.com/929347 Reviewed-by: Fredrik Söderquist <fs@opera.com> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#538201} [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/LayoutSVGBlock.h [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/LayoutSVGForeignObject.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/LayoutSVGForeignObject.h [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/LayoutSVGViewportContainer.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/LayoutSVGViewportContainer.h [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/SVGLayoutSupport.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/layout/svg/SVGLayoutSupport.h [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/paint/PaintPropertyTreeUpdateTests.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/paint/SVGContainerPainter.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/paint/SVGForeignObjectPainter.cpp [modify] https://crrev.com/1d3c50f6f1b3289411d1050487efd874ad84f0ca/third_party/WebKit/Source/core/paint/SVGShapePainter.cpp
,
Feb 22 2018
,
Feb 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f6a82fc1c8b43938da813697c723c1db6834482b commit f6a82fc1c8b43938da813697c723c1db6834482b Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Thu Feb 22 19:36:38 2018 [SPv175] Don't crash on circular filter reference containing foreignObject or svg-in-svg This is a workaround for the crash bugs. The root cause is tracked in crbug.com/814815. Bug: 813446 , 813411 , 814815 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: Ied370eb2b1f0ffd4424c9c397ea1c899914bdbb0 Reviewed-on: https://chromium-review.googlesource.com/931922 Reviewed-by: Fredrik Söderquist <fs@opera.com> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#538527} [add] https://crrev.com/f6a82fc1c8b43938da813697c723c1db6834482b/third_party/WebKit/LayoutTests/external/wpt/svg/foreignobject/foreign-object-circular-filter-reference-crash.html [add] https://crrev.com/f6a82fc1c8b43938da813697c723c1db6834482b/third_party/WebKit/LayoutTests/external/wpt/svg/svg-in-svg/svg-in-svg-circular-filter-reference-crash.html [modify] https://crrev.com/f6a82fc1c8b43938da813697c723c1db6834482b/third_party/WebKit/Source/core/paint/SVGContainerPainter.cpp [modify] https://crrev.com/f6a82fc1c8b43938da813697c723c1db6834482b/third_party/WebKit/Source/core/paint/SVGForeignObjectPainter.cpp
,
Feb 23 2018
ClusterFuzz has detected this issue as fixed in range 538495:538530. Detailed report: https://clusterfuzz.com/testcase?key=4877281932345344 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000068 Crash State: chrome blink::SVGContainerPainter::Paint blink::LayoutSVGContainer::Paint Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=537426:537470 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=538495:538530 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4877281932345344 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 23 2018
ClusterFuzz testcase 4877281932345344 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Feb 18 2018Labels: Test-Predator-Auto-Components