Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutBlockFlow::XPositionForFloatIncludingMargin |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5237319343538176 Fuzzer: marty_html_twiddler Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x612000049a00 Crash State: blink::LayoutBlockFlow::XPositionForFloatIncludingMargin blink::LayoutBlockFlow::AddOverflowFromFloats blink::LayoutBlock::SimplifiedLayout Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=531706:531716 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5237319343538176 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 18 2018
Very strange. Nothing in the blame list looks relevant. It looks like |child.GetLayoutObject()| has been freed and then this method is being called. +layout folks, can you please investigate this further?
,
Mar 19 2018
,
Mar 19 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 19 2018
,
Mar 19 2018
,
Mar 19 2018
Christian, could you look into this please? The regression range is suspicious (requested a re-run) but the failure is real.
,
Mar 30 2018
cbiesinger@, please take a look as per c#7. This is a High severity security issue affecting Beta branch.
,
Apr 2 2018
cbiesinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 2 2018
Just a heads up, M66 Stable cut is on April 12th, 10 days away. This issue is marked as RB-Stable for 66. Please make sure to address this issue prior to stable cut. Thanks!
,
Apr 9 2018
Reminder: Please note that M66 Stable is only 7 days away. This bug has been marked as ReleaseBlock Stable for M66. So please take a look and appropriately address this bug.
,
Apr 13 2018
Flaky test case, per email thread.
,
Jul 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 18 2018Labels: Test-Predator-Auto-Components