Issue 962088 in chromium: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions

[ClusterFuzz via monorail]

Updates:
Components: Blink>Editing
Labels: Test-Predator-Auto-Components

Comment #1 on issue 962088 by ClusterFuzz: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions
https://bugs.chromium.org/p/chromium/issues/detail?id=962088#c1

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

--
You received this message because:
1. A rule CC'd you on the issue
2. You are auto-CC'd on all issues in component Blink>Editing

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment or make updates.

[sheriffbot via monorail]

Updates:
Labels: ReleaseBlock-Stable

Comment #3 on issue 962088 by sheri...@chromium.org: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions
https://bugs.chromium.org/p/chromium/issues/detail?id=962088#c3

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[vakh via monorail]

Updates:
Cc: yo...@chromium.org
Owner: xiaoc...@chromium.org
Status: Assigned

Comment #5 on issue 962088 by va...@chromium.org: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions
https://bugs.chromium.org/p/chromium/issues/detail?id=962088#c5

(No comment was entered for this change.)

[ClusterFuzz via monorail]

Comment #6 on issue 962088 by ClusterFuzz: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions
https://bugs.chromium.org/p/chromium/issues/detail?id=962088#c6

ClusterFuzz has detected this issue as fixed in range 659284:659286.

Detailed report: https://clusterfuzz.com/testcase?key=5189402127630336

Fuzzer: bj_broddelwerk
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x25500a230130
Crash State:

Bad-cast to blink::LayoutObject from invalid vptr

blink::EndsOfNodeAreVisuallyDistinctPositions
blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > blink::M

Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=658680:658687
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=659284:659286

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5189402127630336

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[ClusterFuzz via monorail]

Updates:
Labels: ClusterFuzz-Verified
Status: Verified

Comment #7 on issue 962088 by ClusterFuzz: Bad-cast to blink::LayoutObject from invalid vptr in blink::EndsOfNodeAreVisuallyDistinctPositions
https://bugs.chromium.org/p/chromium/issues/detail?id=962088#c7

ClusterFuzz testcase 5189402127630336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.