New issue
Advanced search Search tips

Issue 607722 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner: ----
Closed: May 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in void v8::internal::String::WriteToFlat<unsigned short>

Project Member Reported by ClusterFuzz, Apr 28 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5984162959327232

Fuzzer: stgao_chromebot2
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x62e000022137
Crash State:
  void v8::internal::String::WriteToFlat<unsigned short>
  v8::internal::GenericStringUtf16CharacterStream::FillBuffer
  v8::internal::BufferedUtf16CharacterStream::ReadBlock
  
Recommended Security Severity: Medium

Regressed: V8: r35710:35711

Minimized Testcase (2.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94HWu_Y1t-vHMoVrimUQuTCyF-NSoBoJsU84km_KFHK5szcP3brcHu7oSR9uuIki_dR1-CBPrp5KeeYDStVnrySsolBmaFyMD-yNwitWeVXBhDi2UAbLWYK9q_0IjMyGZbOK37yJpCx2mwMJe_0ipWf5zUXwg

Filer: mbarbella

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ishell@chromium.org mstarzinger@chromium.org
+v8 clusterfuzz sheriffs

The regression range seems odd on this one, so it could be a blink change that led to this.
Project Member

Comment 2 by ClusterFuzz, Apr 29 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5984162959327232

Fuzzer: stgao_chromebot2
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x62e000022137
Crash State:
  void v8::internal::String::WriteToFlat<unsigned short>
  v8::internal::GenericStringUtf16CharacterStream::FillBuffer
  v8::internal::BufferedUtf16CharacterStream::ReadBlock
  
Recommended Security Severity: Medium

Regressed: V8: r35710:35711

Minimized Testcase (2.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94HWu_Y1t-vHMoVrimUQuTCyF-NSoBoJsU84km_KFHK5szcP3brcHu7oSR9uuIki_dR1-CBPrp5KeeYDStVnrySsolBmaFyMD-yNwitWeVXBhDi2UAbLWYK9q_0IjMyGZbOK37yJpCx2mwMJe_0ipWf5zUXwg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Apr 29 2016

Labels: Pri-1
Project Member

Comment 4 by ClusterFuzz, May 2 2016

Labels: Missing_Owner-1

Comment 5 by f...@chromium.org, May 6 2016

Status: Fixed (was: Available)
Project Member

Comment 6 by ClusterFuzz, May 6 2016

Labels: Merge-NA
Project Member

Comment 7 by sheriffbot@chromium.org, May 6 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 12 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment