New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 814734 link

Starred by 1 user
Status: Fixed
Owner:
e...@chromium.org
Closed: Feb 2018
Cc:
ifratric@google.com
brajkumar@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in FloatAscent

Project Member Reported by ClusterFuzz, Feb 22 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5660710340919296

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  FloatAscent
  FloatHeight
  InternalLeading
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5660710340919296

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by brajkumar@chromium.org, Feb 23 2018

Cc: brajkumar@chromium.org
Components: Blink>Fonts
Labels: M-65 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also observing no CL under regression range, hence adding appropriate label and leaving it as untriaged for further updates.

Thanks!

Comment 2 by e...@chromium.org, Feb 26 2018

Labels: -Pri-1 Pri-2

Comment 3 by e...@chromium.org, Feb 26 2018

Owner: e...@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 4 by bugdroid1@chromium.org, Feb 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f35c78466bb21586a66893b090583f71463e597

commit 7f35c78466bb21586a66893b090583f71463e597
Author: Emil A Eklund <eae@chromium.org>
Date: Tue Feb 27 18:55:07 2018

Check for font in LayoutTextCombine::TransformToInlineCoordinates

Check for PrimaryFont in LayoutTextCombine::TransformToInlineCoordinates
as it may be NULL in which case no coordinate transform is required.

Bug:  814734 
Change-Id: I9d637bc9956a3129cd294398e407023cc45e32ea
Reviewed-on: https://chromium-review.googlesource.com/938661
Commit-Queue: Emil A Eklund <eae@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#539511}
[modify] https://crrev.com/7f35c78466bb21586a66893b090583f71463e597/third_party/WebKit/Source/core/layout/LayoutTextCombine.cpp

Comment 5 by e...@chromium.org, Feb 27 2018

Status: Fixed (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Mar 6 2018

Labels: Needs-Feedback
ClusterFuzz testcase 5660710340919296 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Comment 7 by e...@chromium.org, Mar 6 2018

Labels: -Clusterfuzz ClusterFuzz-Wrong
No longer reproduces locally. No longer reproduces with the clusterfuzz reproduce tool.

Sign in to add a comment