This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

See previous comments on  bug #622196  comment 5. 

In essence - the only way to fix this short term is to disable hunspell

M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you. 

M53 is branching this week and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

M53 is branched today (2785) and will be promoted to Beta this month.Your bug is labelled as Beta ReleaseBlock, pls make sure to land and merge the fix to M53 branch 2785 by 5:00 PM PST on Friday 07/22 (sooner the better so it gets chance to bake in M53 dev releases it self). Thank you.

groby: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Can't build fuzzer on OSX. Created a manual test case[1], but that unfortunately doesn't crash, so still can't debug what's happening.

Should I be able to run fuzzer on OSX?

[1]https://codereview.chromium.org/2136333003/

OK, here's the status so far.

It begins with the fuzzer creating invalid utf8. If you look at the testcase, byte 15 has the value 0xbd - that's an invalid utf8 encoding. 

Hunspell::suggest then calls Hunspell::mkinitcap, which is capitalizing the first letter. By converting it to UTF16, capitalizing the first letter, and converting back to UTF8. (I don't even).

Even better, it's trying to do that in place. Which would work, except 0xbd turns into 0xfffd (Unicode's "invalid char") when going to UTF16, and then into the two-byte sequence 0xff 0xfd when going back to UTF8. It's added a character, and so goes past the end.

The "proper" fix would be to validate that Hunspell::suggest rejects words with invalid UTF8 encoding. Practically, that's already guaranteed - its only caller reencodes the string into UTF8, and so we'll never encounter improper encoding in the wild.

I'm leaving it open for now, but definitely not Releaseblocker

Notes for the future - the direct fix would be updating mkinitcap to limit the output buffer to strlen(input)+1. It's a hack in terms of proper character handling, but prohibits any possible overflow.

Other fixes would sanitize Hunspell's input, but I don't think we should do that - Hunspell already assumes sanitized input, for performance reasons.

If we want to sanitize,the easiests fix would be in Hunspell::suggest, after calling cleanword2 and checking wl == 0

#if HUNSPELL_CHROME_CLIENT // Always utf8, no separate path needed.
  u16_u8(cw, MAXWORDUTF8LEN, unicw, nc);
  wl = strlen(cw);
  if (wl == 0) return 0;
#endif 

Which basically replaces the "clean" word with a UTF8-sanitized version of the clean word. (Otherwise, if you pass in e.g. 0xbd, it'll operate under the assumption that the word is only one char, and then the later mkinitcap blows up horribly, because it generates 3 bytes)

Another alternative would be modifying get_captype_utf8 to always return NOCAP if it encounters invalid unicode, so it'd avoid an unsafe routine. 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6609313942732800

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x60700000c8c7
Crash State:
  u16_u8
  Hunspell::mkinitcap
  Hunspell::suggest
  
Recommended Security Severity: High


Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95uEu7ZpSV2rOrAgOgBEpGqAegPMI1lZqyx3khN2rRgbR0uM_Gf0kB1WtzYv2gCBYrPk2-7rrdh16RfbJqUFq9hLOypRPjDnetqGIj8EueNfubKgwCa-oVzg8hI-OFoSSG7Z3_lPwuIwgDzwUNgbQ3ImK5Asw?testcase_id=6609313942732800
K�er'diphongsrp-I-?>negbours�Froceding:,�emblrassing��ceedigIR.-----<?x,m


Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 414871:414881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5520058793328640

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x608000009ef8
Crash State:
  u16_u8
  Hunspell::mkinitcap
  Hunspell::suggest
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401002:401127
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414871:414881

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96-Onew44vdwTn_gq19R1runJsdl5uX14ZMq5Gutohd2D2-PmVTo-bGg7tw2HDg3ot3MfZARtJu725pLIoCeMgt0rhIqtq0dBZgwqU-BnrE-Ts4rkI_c7_OLb1PDLhTJU1O5x5VND87iBPdAPdg8cGLdOWtuQ?testcase_id=5520058793328640
R:<?xl<<?x(ml?>�<abuts?x�ml?>b<?xe?<}
:'�<abuts?xml?>b<?x-?->paralleldi!pe.Tselctionp


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 414871:414881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6609313942732800

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x60700000c8c7
Crash State:
  u16_u8
  Hunspell::mkinitcap
  Hunspell::suggest
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414871:414881

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95uEu7ZpSV2rOrAgOgBEpGqAegPMI1lZqyx3khN2rRgbR0uM_Gf0kB1WtzYv2gCBYrPk2-7rrdh16RfbJqUFq9hLOypRPjDnetqGIj8EueNfubKgwCa-oVzg8hI-OFoSSG7Z3_lPwuIwgDzwUNgbQ3ImK5Asw?testcase_id=6609313942732800
K�er'diphongsrp-I-?>negbours�Froceding:,�emblrassing��ceedigIR.-----<?x,m


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot