Probably a bug with how GURL handles filesystem: URLs, as they are special-cased and sufficiently weird 

Also note it is memorial day in the US, so there probably won't be movement on this bug until tomorrow.

eroman@, I wonder if you (or someone) can prepare a smaller fuzz_test that triggers this bug (in the hope to find more)? 
We already have testing/libfuzzer/fuzzers/url_parse_fuzzer.cc but it does not cover GURL::ReplaceComponents

How did we find this, did we add dictionaries here ? Really excited about more bugs we can find in net/ land.

This was found by a fuzzer of net's top-level URLRequest object - it simulates network responses at the socket layer, so goes through most layers of the network stack (Doesn't mock out SSL yet, so no HTTP2, unfortunately, and no QUIC, among other things it misses).  It does use a dictionary with HTTP headers.

Note that I'm taking the day off, so I won't get to digging into this until tomorrow.

RE comment #4: Yes such a fuzzer would be a good idea

So the issue here is "inner_url" is completely borked in ReplaceComponents - first off, we mix the original URL string with the length of the new URL string when creating it, so if the new string is longer, we get this crash.

Secondly, we don't seem to be setting the string properly.  At least I assume the "inner URL" of "filesystem:http://www.google.com/foo" is suppose to be "http://www.google.com/foo" and not "filesystem:http://www.google.com/foo" - right now it's the latter, so inner_url seems to always (?) be the same as URL.  Bizarrely, we don't have a single test for inner_url(), so I'm not completely sure if this is expected behavior or not (Note that this isn't just done in the case of Replacements - without replacements, they're always the same as well.  PathForRequest, however, is different, so maybe it is expected behavior).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/73cea7e4afe9d7ffc45cecc80da954a481bbb48d

commit 73cea7e4afe9d7ffc45cecc80da954a481bbb48d
Author: mmenke <mmenke@chromium.org>
Date: Mon Jun 13 19:04:57 2016

Fix generation of inner_url in GURL::Replacements.

It was being created using a combination of the old and new URLs,
instead of just using the new URL.

BUG= 615820 

Review-Url: https://codereview.chromium.org/2029213002
Cr-Commit-Position: refs/heads/master@{#399501}

[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl.cc
[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl.h
[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl_unittest.cc

Requesting a merge due to the "Security_Severity-Medium" label.  I'm a bit skeptical if there's an actual exploit here, though suppose there could be, and the fix seems simple enough.

Matt, is it possible to write a fuzz target that can find this bug
(if the fix is reverted)?. 
If yes, I'd appreciate if you do it -- maybe we will find other bug(s) this way. 
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md

I'm not following.  This bug was found by a fuzzer.

It may make sense to write a fuzzer specifically for GURL::Replacements, but this particular bug already has fuzzer coverage.

This bug was found by a very generic fuzzer that calls GURL:* somewhere deep inside
and had very little chance to find this particular case (thanks to the scale of ClusterFuzz we've found it). 
Ideally, we should have GURL-specific fuzz target that can find this bug
(and maybe other similar ones) in seconds. 
Similar to testing/libfuzzer/fuzzers/url_parse_fuzzer.cc but for 
GURL::Replacements

The goal of doing this is not to re-detect this known (and fixed) bug but to find more. 
Or GURL::Replacements is too simple to contain more than one bug?

I'm not really all that familiar with GURL's guts, but in the rare cases I find myself looking at them, I find myself recoiling in horror.  I don't expect a fuzzer targetted at GURL::Replacements would be too difficult to write, but I really don't have the time to do it - I've spent maybe 3 days of the last 1 month on what is nominally my main project.  Perhaps someone more familiar with the idiosyncrasies of the class would be better suited to write a fuzzer.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

ClusterFuzz has detected this issue as fixed in range 399465:399589.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815892353646592

Fuzzer: libfuzzer_net_url_request_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x608000019300
Crash State:
  copy
  std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<ch
  basic_string
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=390409:390594
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=399465:399589

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94tILTyCY-JpUm-6ZIxI-f44Ie1xNADAtr1rb1SPjC4ZXVUQICJjfRaLZJGfehO6I7-AJ9bf3h7q-Yi7aj6L6upjBNlj-ELjEJTtFSMCdRdaM2l5ZUz9OEnBB-urJPmYd-gbLMo9-OuI_Shp3c2hX4fhAtivA
7HTTPblobHTTPurm 308
�jhttpp:S)e
LocatioHTTur*
Location: ht�p:/�Set-Cookie: oUpgradeps://1.1/cur# 8?8�Diest)u;((O��gb
r/foo/e 307��SoDate:choo
Date:nSte-t-Bno-bkie: foo=arbtent-Encoding:�;:*p!)({u;):**L)�()brbHTTP/1.1 100 Continue

HTHTTP 308
Location: filesystem:hTTP: 3Close/bDate:ar:�'07'Loca�io\catnoi://HttpOoTP/1.1 100 Coninue
Set-Ctn�ooteokie: ofo=n: tpkie: s


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a586a4f1693ae618c191679d7c16a0de940db67d

commit a586a4f1693ae618c191679d7c16a0de940db67d
Author: Matt Menke <mmenke@chromium.org>
Date: Tue Jun 14 18:27:13 2016

Fix generation of inner_url in GURL::Replacements.

It was being created using a combination of the old and new URLs,
instead of just using the new URL.

BUG= 615820 

Review-Url: https://codereview.chromium.org/2029213002
Cr-Commit-Position: refs/heads/master@{#399501}
(cherry picked from commit 73cea7e4afe9d7ffc45cecc80da954a481bbb48d)

Review URL: https://codereview.chromium.org/2062183002 .

Cr-Commit-Position: refs/branch-heads/2743@{#352}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl.cc
[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl.h
[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/73cea7e4afe9d7ffc45cecc80da954a481bbb48d

commit 73cea7e4afe9d7ffc45cecc80da954a481bbb48d
Author: mmenke <mmenke@chromium.org>
Date: Mon Jun 13 19:04:57 2016

Fix generation of inner_url in GURL::Replacements.

It was being created using a combination of the old and new URLs,
instead of just using the new URL.

BUG= 615820 

Review-Url: https://codereview.chromium.org/2029213002
Cr-Commit-Position: refs/heads/master@{#399501}

[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl.cc
[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl.h
[modify] https://crrev.com/73cea7e4afe9d7ffc45cecc80da954a481bbb48d/url/gurl_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a586a4f1693ae618c191679d7c16a0de940db67d

commit a586a4f1693ae618c191679d7c16a0de940db67d
Author: Matt Menke <mmenke@chromium.org>
Date: Tue Jun 14 18:27:13 2016

Fix generation of inner_url in GURL::Replacements.

It was being created using a combination of the old and new URLs,
instead of just using the new URL.

BUG= 615820 

Review-Url: https://codereview.chromium.org/2029213002
Cr-Commit-Position: refs/heads/master@{#399501}
(cherry picked from commit 73cea7e4afe9d7ffc45cecc80da954a481bbb48d)

Review URL: https://codereview.chromium.org/2062183002 .

Cr-Commit-Position: refs/branch-heads/2743@{#352}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl.cc
[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl.h
[modify] https://crrev.com/a586a4f1693ae618c191679d7c16a0de940db67d/url/gurl_unittest.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot