toyoshim: Could you take a look at this? Seems like a regression from the woff2 update in https://chromium.googlesource.com/chromium/src/+/116d7b0ac70c354ee5f863afe616ea8588a1d48c

Is a fuzzing target possible for woff2::ConvertWOFF2ToTTF? 
If so, please add one as the regression test (see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md)

This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz

Note: there are far scarier bug(s) in woff2; internal xref: b/27562618

I don't believe we call ConvertTTFToWOFF2 in chromium, but a fuzzing target for ConvertWOFF2ToTTF would be awesome.

My code for ConvertWOFF2ToTTF:
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  size_t final_size = third_party::woff::ComputeWOFF2FinalSize(data, size);
  // fprintf(stderr, "final_size %zd\n", final_size);
  if (!final_size || final_size > (1 << 20)) return 0;
  uint8_t *result = new uint8_t[final_size];
  third_party::woff::ConvertWOFF2ToTTF(result, final_size, data, size);
  delete [] result;
  return 0;
}   

Could I get a copy of the minimized test case? - I can't access via the link provided

Note that these are not inputs to woff2 library, but inputs to the entire chrome.

Deleted: fuzz-extension-run-129.zip 670 KB

fuzz-extension-run-129.zip 670 KB Download

Deleted: 4526031242788864.zip 123 KB

4526031242788864.zip 123 KB Download

Sorry for taking days to start investigation because of holidays.

The regression range reported in the bug description was 386531:386650. This contains my change r386643 that actually introduced this error. But the issue was fixed at r388459.

I just kicked 'Redo' with 'Fixed' in the report page. Is this enough to confirm if the issue is correctly fixed?

Let me assign back to mbarbella@.

mbarbella@, if trunk still has the same issue, I'll investigate again. Feel free to reassign.

ClusterFuzz has detected this issue as fixed in range 388458:388479.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4526031242788864

Fuzzer: meacer_chromebot_extensions
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ==1==WARNING:
  woff2::ConvertWOFF2ToTTF
  woff2::ConvertWOFF2ToTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=386531:386650
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=388458:388479

Minimized Testcase (123.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96l2ZrN0Vf5CG2q0pPlYG6a3yNZjRhpWLTv6xQiGsnS8pFWi2FVvcDgDx9gKeqh9b60idklX4zORur-uwxk29QAVh_zaxKTaIe_V01jIVR9P9wwXga6t6vTIAestkGBy9nUotrfcAelSB209qNMSbe_D0N8hRaFfddSl3lPt0bhVqGrdNQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Marking as fixed based on c#11 and c#12.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot