It looks like you're trying to allocated a million by

Looks like your message was cut off, not sure if there was a question there. Yes,the scenario includes a 1MB-ish buffer as one of the inputs.

Only the first 9 bytes of the shared memory buffer are mapped into view. The same buffer is used for two BlobItemBytesRequests. The first request is for 9 bytes so only the first 9 bytes are mapped. The second request tries to write 1Mbytes to the unmapped area beyond the first 9 bytes and crashes.


      case IPCBlobItemRequestStrategy::SHARED_MEMORY: {
        responses.push_back(BlobItemBytesResponse(request.request_number));
        DCHECK_LT(request.handle_index, memory_handles->size())
            << "Invalid handle index.";
        SharedMemory* memory = opened_memory[request.handle_index];
        if (!memory) {
          SharedMemoryHandle& handle = (*memory_handles)[request.handle_index];
          DCHECK(SharedMemory::IsHandleValid(handle));
          std::unique_ptr<SharedMemory> shared_memory(
              new SharedMemory(handle, false));

          if (!shared_memory->Map(request.size)) {
            // This would happen if the renderer process doesn't have enough
            // memory to map the shared memory, which is possible if we don't
            // have much memory. If this scenario happens often, we could delay
            // the response until we have enough memory.  For now we just fail.
            CHECK(false) << "Unable to map shared memory to send blob " << uuid
                         << ".";
            return;
          }
          memory = shared_memory.get();
          opened_memory[request.handle_index] = shared_memory.release();
        }
        CHECK(memory->memory()) << "Couldn't map memory for blob transfer.";
        ReadStatus status = consolidation->ReadMemory(
            request.renderer_item_index, request.renderer_item_offset,
            request.size,
            static_cast<char*>(memory->memory()) + request.handle_offset);
        DCHECK(status == ReadStatus::OK)
            << "Error reading from consolidated blob: "
            << static_cast<int>(status);
        break;
      }

We may want to merge the fix for this to stable?

The reason the test didn't catch this is because we previously mapped the memory in the test so we could read from it later. Patch incoming.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8731540b822e48124e782a976ef5d44632757a29

commit 8731540b822e48124e782a976ef5d44632757a29
Author: dmurph <dmurph@chromium.org>
Date: Tue Jun 21 18:43:16 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}

[modify] https://crrev.com/8731540b822e48124e782a976ef5d44632757a29/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/8731540b822e48124e782a976ef5d44632757a29/content/child/blob_storage/blob_transport_controller_unittest.cc

 Issue 619368  has been merged into this issue.

[Automated comment] Request affecting a post-stable build (M51), manual review required.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

[Automated comment] Request affecting a post-stable build (M51), manual review required.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1763362b4662d9c8499b5725461da783659cacac

commit 1763362b4662d9c8499b5725461da783659cacac
Author: Daniel Murphy <dmurph@chromium.org>
Date: Wed Jun 22 20:30:21 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}
(cherry picked from commit 8731540b822e48124e782a976ef5d44632757a29)

Review URL: https://codereview.chromium.org/2094493002 .

Cr-Commit-Position: refs/branch-heads/2743@{#448}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/1763362b4662d9c8499b5725461da783659cacac/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/1763362b4662d9c8499b5725461da783659cacac/content/child/blob_storage/blob_transport_controller_unittest.cc

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

re-openning, as we need stable merge still

Pri-0 bugs are critical regressions or serious emergencies, and this bug has not been updated in three days. Could you please provide an update, or adjust the priority to a more appropriate level if applicable?

If a fix is in active development, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 623993  has been merged into this issue.

Approving merge to M51 branch 2704 based on comment #13 and #14. Please merge ASAP.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ad99e08f3122f5a5b2512b9acec4e981b3072d6

commit 3ad99e08f3122f5a5b2512b9acec4e981b3072d6
Author: Daniel Murphy <dmurph@chromium.org>
Date: Wed Jul 06 18:39:20 2016

[BlobAsync] Fixed shared memory mapping

The test was designed to catch this case, but because the memory was mapped before we sent it to the class, the incorrect call to Map was a no-op. Test has been fixed.

BUG= 619217 

Review-Url: https://codereview.chromium.org/2086033002
Cr-Commit-Position: refs/heads/master@{#401053}
(cherry picked from commit 8731540b822e48124e782a976ef5d44632757a29)

Review URL: https://codereview.chromium.org/2094493002 .

Cr-Commit-Position: refs/branch-heads/2743@{#448}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}
(cherry picked from commit 1763362b4662d9c8499b5725461da783659cacac)

Review URL: https://codereview.chromium.org/2125913003 .

Cr-Commit-Position: refs/branch-heads/2704@{#730}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/3ad99e08f3122f5a5b2512b9acec4e981b3072d6/content/child/blob_storage/blob_transport_controller.cc
[modify] https://crrev.com/3ad99e08f3122f5a5b2512b9acec4e981b3072d6/content/child/blob_storage/blob_transport_controller_unittest.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot