Null-dereference READ in blink::WebElement::TagName |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5666148380835840 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::WebElement::TagName printing::IsPrintingFrameset printing::PrintRenderFrameHelper::Print Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=621060:621062 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5666148380835840 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 9
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dcb35fd5c675d00dafda22073ca7ecd5ee4d5815 (PrintRenderFrameHelper: Refuse to print framesets). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 9
,
Jan 9
,
Jan 9
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7fefb08dc3487cdb6f679b60614f20e3001beb88 commit 7fefb08dc3487cdb6f679b60614f20e3001beb88 Author: rbpotter <rbpotter@chromium.org> Date: Wed Jan 09 22:15:19 2019 PrintRenderFrameHelper: fix null dereference Clusterfuzz error doesn't reproduce locally, but check that the document is an HTML document and body is non-null before calling TagName(). Bug: 920163 Change-Id: Iab500f3a9165c72ba07b998c758063cb02eef810 Reviewed-on: https://chromium-review.googlesource.com/c/1403519 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Rebekah Potter <rbpotter@chromium.org> Cr-Commit-Position: refs/heads/master@{#621325} [modify] https://crrev.com/7fefb08dc3487cdb6f679b60614f20e3001beb88/components/printing/renderer/print_render_frame_helper.cc
,
Jan 10
ClusterFuzz has detected this issue as fixed in range 621318:621341. Detailed report: https://clusterfuzz.com/testcase?key=5666148380835840 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::WebElement::TagName printing::IsPrintingFrameset printing::PrintRenderFrameHelper::Print Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=621060:621062 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=621318:621341 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5666148380835840 Additional requirements: Requires Gestures See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 10
,
Jan 10
ClusterFuzz testcase 5666148380835840 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jan 9Labels: Test-Predator-Auto-Components