Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Closed: Nov 2014
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment
Stack-buffer-overflow in _XData32
Project Member Reported by, Oct 30 2014 Back to list
Detailed report:

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_asan_chrome_media

Crash Type: Stack-buffer-overflow READ 8
Crash Address: 0x7f5cc094c2c0
Crash State:

Unminimized Testcase:

Filer: inferno
Status: Assigned
This is found by both Attekett and Christoph's fuzzer at the same time. Probably reward split.
Project Member Comment 2 by, Oct 30 2014
Labels: Pri-1
Status: Started
CL is up at
inferno@, Is there a good way of checking whether a particular CL fixes the reported issue?
Sorry, but this report (see Reproducible:no in report) was a one-time crasher. We just have to go with speculative fix. We will reopen if we see the stack again. With 4000 bots, it is high chance to rehit it quick. 
Status: Fixed
Project Member Comment 6 by, Nov 3 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on

- Your friendly ClusterFuzz
Project Member Comment 7 by, Nov 3 2014
The following revision refers to this bug:

commit f09a3116b3c3bff8d4c98dd65d659471a7eeff6f
Author: pkotwicz <>
Date: Sun Nov 02 22:24:50 2014

Pass in long to XChangeProperty() instead of an int when using format=32

BUG= 428557 

Review URL:

Cr-Commit-Position: refs/heads/master@{#302404}


Labels: -Merge-Triage Release-0-M40 Security_Impact-Stable
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7941
Fuzzer collision! It's $1000 for bug here, plus $500 for each of your fuzzers. As you both found it, we'll split the $1000 and give you $500 each, so that works out to be $1000 to each of you.

Note for future self: $1000 to attekett, $1000 to Christoph.
Project Member Comment 10 by, Feb 9 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Reward payment made to attekett@ - leaving "reward-inprocess" label on for Christoph.
Labels: -reward-inprocess
Payment to Christoph sent. Removing in-process label.
Project Member Comment 14 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 15 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment