Issue 616352 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	esprehn@chromium.org
Closed:	Jun 2016
Cc:	attek...@gmail.com
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
Merge-na Reproducible Stability-Memory-AddressSanitizer External-Fuzzer-Contribution reward-0 Security_Severity-Medium Security_Impact-Head allpublic Clusterfuzz

Heap-buffer-overflow in blink::concatenateFamilyName

Project Member Reported by ClusterFuzz, Jun 1 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483771499216896

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x61000001e5fc
Crash State:
  blink::concatenateFamilyName
  blink::CSSPropertyParser::parseFontFaceDescriptor
  blink::CSSPropertyParser::parseValue
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=396459:396493

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97NQhfQSzxUhz32iv5Di_E7-vyiuEhds07956wZqSk2wIXjKxgXxTRDUcC1DkjdBQ8pgbNrst6o82L9dvQ34kIUZiBHqEES4V4klk14ioJWakU8PUlqD_P3_23NxRN3fEb-JPAHxH57Ca2wlD9N_f5zt7gJ2w
<style>@font-face{font-family:'myfont';src:local(Courier);unicode-r�p+H�~��ode-range:U+062-60;


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by infe...@chromium.org, Jun 1 2016

Owner: esprehn@chromium.org
Status: Fixed (was: Available)

We are hitting this regression a lot. Looks like regression from https://chromium.googlesource.com/chromium/src//+/330deea56e27bc760fa52101040a51428bb7f582, but already reverted in https://codereview.chromium.org/2025503002/.

Comment 2 by esprehn@chromium.org, Jun 1 2016

Sorry, I screwed up my assert and there's a buffer overflow in there since I call lengthOfNullTermiantedString() on non-null terminated UChar*'s. It was fixed and relanded today. Let me know if things show up again.

Comment 3 by aarya@google.com, Jun 1 2016

Thanks Elliot for the fix, will let you know if things still remain.

Project Member

Comment 4 by ClusterFuzz, Jun 1 2016

Labels: Merge-NA

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 1 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 6 by ClusterFuzz, Jun 1 2016

ClusterFuzz has detected this issue as fixed in range 396634:396810.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483771499216896

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x61000001e5fc
Crash State:
  blink::concatenateFamilyName
  blink::CSSPropertyParser::parseFontFaceDescriptor
  blink::CSSPropertyParser::parseValue
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=396459:396493
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=396634:396810

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97NQhfQSzxUhz32iv5Di_E7-vyiuEhds07956wZqSk2wIXjKxgXxTRDUcC1DkjdBQ8pgbNrst6o82L9dvQ34kIUZiBHqEES4V4klk14ioJWakU8PUlqD_P3_23NxRN3fEb-JPAHxH57Ca2wlD9N_f5zt7gJ2w
<style>@font-face{font-family:'myfont';src:local(Courier);unicode-r�p+H�~��ode-range:U+062-60;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by awhalley@chromium.org, Jul 6 2016

Labels: -reward-topanel reward-0

Sorry to say that this was found before to this fuzzer hitting it, so no reward given.

Project Member

Comment 8 by sheriffbot@chromium.org, Sep 7 2016

Labels: -Restrict-View-SecurityNotify

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 9 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 10 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Project Member

Comment 12 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

►

Issue 616352 link

Issue metadata

Heap-buffer-overflow in blink::concatenateFamilyName

Issue description

Comment 1 by infe...@chromium.org, Jun 1 2016

Comment 1 Deleted

Comment 2 by esprehn@chromium.org, Jun 1 2016

Comment 2 Deleted

Comment 3 by aarya@google.com, Jun 1 2016

Comment 3 Deleted

Comment 4 by ClusterFuzz, Jun 1 2016

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Jun 1 2016

Comment 5 Deleted

Comment 6 by ClusterFuzz, Jun 1 2016

Comment 6 Deleted

Comment 7 by awhalley@chromium.org, Jul 6 2016

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Sep 7 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Oct 1 2016

Comment 9 Deleted

Comment 10 by sheriffbot@chromium.org, Oct 2 2016

Comment 10 Deleted

Comment 11 by mbarbe...@chromium.org, Oct 2 2016

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Jul 28

Comment 12 Deleted

Sign in to add a comment