Issue metadata
Sign in to add a comment
|
An Access Violation exception happened at 0x0 while attempting to write memory at 0x0 using a NULL pointer.
Reported by
brian.ca...@gmail.com,
Jan 2
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce the problem:
While fuzzing Chrome 71.0.3578.98 (x64) with Domato, this null pointer dereference and crash was caught. I've attached the report generated during the crash which contains stack and register information, plus the testcases that were created by Domato.
What is the expected behavior?
No crash.
What went wrong?
chrome.dll!base::win::`anonymous namespace'::ForceCrashOnSigAbort (id: 4a0) [[C:\b\c\b\win64_clang\src\base\win\win_util.cc @ 87]]
chrome.dll!raise + 0x22B (id: 090) [[C:\b\c\b\win64_clang\src\out\Release_x64\minkernel\crts\ucrt\src\appcrt\misc\signal.cpp @ 547]]
chrome.dll!abort + 0x18 [[C:\b\c\b\win64_clang\src\out\Release_x64\minkernel\crts\ucrt\src\appcrt\startup\abort.cpp @ 71]]
chrome.dll!sk_abort_no_print + 0x15 [[C:\b\c\b\win64_clang\src\skia\ext\SkMemory_new_handler.cpp @ 41]]
chrome.dll!viz::SoftwareRenderer::AllocateRenderPassResourceIfNeeded + 0x170 [[C:\b\c\b\win64_clang\src\components\viz\service\display\software_renderer.cc @ 828]]
chrome.dll!viz::DirectRenderer::UseRenderPass + 0x141 [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 705]]
chrome.dll!viz::DirectRenderer::DrawRenderPass + 0x8D [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 550]]
chrome.dll!viz::DirectRenderer::DrawRenderPassAndExecuteCopyRequests + 0xCB [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 526]]
chrome.dll!viz::DirectRenderer::DrawFrame + 0x6B0 [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 356]]
chrome.dll!viz::Display::DrawAndSwap + 0x5FA [[C:\b\c\b\win64_clang\src\components\viz\service\display\display.cc @ 402]]
chrome.dll!viz::DisplayScheduler::AttemptDrawAndSwap + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\components\viz\service\display\display_scheduler.cc @ 213]]
chrome.dll!viz::DisplayScheduler::OnBeginFrameDeadline + 0x46 [[C:\b\c\b\win64_clang\src\components\viz\service\display\display_scheduler.cc @ 502]]
chrome.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome.dll!base::MessageLoop::RunTask + 0xDF [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 436]]
chrome.dll!base::MessageLoop::DoWork + 0x185 [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 517]]
chrome.dll!base::MessagePumpForUI::DoRunLoop + 0xA9 [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 180]]
chrome.dll!base::MessagePumpWin::Run + 0x4E [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 54]]
chrome.dll!base::RunLoop::Run + 0x31 [[C:\b\c\b\win64_clang\src\base\run_loop.cc @ 108]]
chrome.dll!ChromeBrowserMainParts::MainMessageLoopRun + 0x84 [[C:\b\c\b\win64_clang\src\chrome\browser\chrome_browser_main.cc @ 1907]]
chrome.dll!content::BrowserMainLoop::RunMainMessageLoopParts + 0x48 [[C:\b\c\b\win64_clang\src\content\browser\browser_main_loop.cc @ 1000]]
chrome.dll!content::BrowserMainRunnerImpl::Run + 0x11 [[C:\b\c\b\win64_clang\src\content\browser\browser_main_runner_impl.cc @ 166]]
chrome.dll!content::BrowserMain + 0xC6 [[C:\b\c\b\win64_clang\src\content\browser\browser_main.cc @ 47]]
chrome.dll!content::RunBrowserProcessMain + 0x6F [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 535]]
chrome.dll!content::ContentMainRunnerImpl::Run + 0x2F0 [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 0]]
chrome.dll!service_manager::Main + 0x333 [[C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 472]]
chrome.dll!content::ContentMain + 0x3E [[C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19]]
chrome.dll!ChromeMain + 0x118 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 0]]
chrome.exe!MainDllLoader::Launch + 0x26C [[C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 201]]
chrome.exe!wWinMain + 0x5F0 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 229]]
chrome.exe!__scrt_common_main_seh + 0x106 [[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283]]
KERNEL32.DLL!BaseThreadInitThunk + 0x14
ntdll.dll!RtlUserThreadStart + 0x21
Crashed report ID: N/A
How much crashed? Whole browser
Is it a problem with a plugin? No
Did this work before? Yes Don't know.
Chrome version: 71.0.3578.98 (x64) Channel: stable
OS Version: Enterprise 10 (Build 17134.rs4_release.180410-1804)
Flash Version: N/A
Command line arguments:
'--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-view-features', '--enable-experimental-web-platform-features', '--enable-logging=stdout', '--enable-usermedia-screen-capturing', '--enable-viewport', '--enable-webgl-draft-extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-renderer-accessibility', '--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'file://C:\\Fuzzing\\Tests\\index.html'
,
Jan 3
The testcase(s) created by Domato which triggered this crash are in the zip file I attached to the original report.
,
Jan 3
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 7
Thanks for the update! This looks like test cases are created by Domato, hence adding the respective label for it to triage further. Some one from dev team please take a look in to it. Thank You!
,
Jan 7
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by rbasuvula@google.com
, Jan 3Labels: Needs-Triage-M71 Needs-Feedback