Issue 625746 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ dominicc@chromium.org Last visit > 30 days ago
Closed:	Jan 2018
Cc:	█ aizatsky@chromium.org
Components:	Security
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	3
Type:	Bug
allpublic

Add a fuzzer for TemplateURLParser

Project Member Reported by dominicc@chromium.org, Jul 5 2016

Issue description

Open Search Description documents are parsed in the browser process; let's fuzz that given the trickiness of handling XML documents.

Comment 1 by dominicc@chromium.org, Jul 8 2016

Cc: aizatsky@chromium.org
Labels: Restrict-View-SecurityTeam

Yay, Patch Set 2 at https://codereview.chromium.org/2123733002/ found a check while running locally:

[0708/145710:FATAL:template_url_data.cc(33)] Check failed: !short_name.empty().
#0 0x0000004817d1 __interceptor_backtrace
#1 0x00000493b74a base::debug::StackTrace::StackTrace()
#2 0x00000434d1e6 logging::LogMessage::~LogMessage()
#3 0x000003ea3291 TemplateURLData::SetShortName() 
#4 0x000003e1d9ac TemplateURLParsingContext::EndElementImpl()
#5 0x000008e5d6c6 xmlParseElement
#6 0x000008e5addb xmlParseContent
#7 0x000008e5e61a xmlParseElement
#8 0x000008e79d2e xmlParseDocument
#9 0x000008ea9083 xmlSAXUserParseMemory
#10 0x000003e253c7 TemplateURLParser::Parse()
#11 0x00000050b3ab LLVMFuzzerTestOneInput
#12 0x00000054eba5 fuzzer::Fuzzer::ExecuteCallback()
#13 0x00000054a9e7 fuzzer::Fuzzer::RunOne()
#14 0x00000054f0db fuzzer::Fuzzer::RunOneAndUpdateCorpus()
#15 0x0000005564a6 fuzzer::Fuzzer::MutateAndTestOne()
#16 0x000000558e1f fuzzer::Fuzzer::Loop()
#17 0x00000051460a fuzzer::FuzzerDriver()
#18 0x00000059064f main
#19 0x7f6d77efef45 __libc_start_main
#20 0x00000043dbd9 <unknown>

==121570== ERROR: libFuzzer: deadly signal
    #0 0x4e5e40  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x4e5e40)
    #1 0x541832  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x541832)
    #2 0x541746  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x541746)
    #3 0x5c0b87  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x5c0b87)
    #4 0x7f6d784c832f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #5 0x4937b97  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x4937b97)
    #6 0x434e5ee  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x434e5ee)
    #7 0x3ea3290  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x3ea3290)
    #8 0x3e1d9ab  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x3e1d9ab)
    #9 0x8e5d6c5  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x8e5d6c5)
    #10 0x8e5adda  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x8e5adda)
    #11 0x8e5e619  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x8e5e619)
    #12 0x8e79d2d  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x8e79d2d)
    #13 0x8ea9082  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x8ea9082)
    #14 0x3e253c6  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x3e253c6)
    #15 0x50b3aa  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x50b3aa)
    #16 0x54eba4  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x54eba4)
    #17 0x54a9e6  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x54a9e6)
    #18 0x54f0da  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x54f0da)
    #19 0x5564a5  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x5564a5)
    #20 0x558e1e  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x558e1e)
    #21 0x514609  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x514609)
    #22 0x59064e  (/usr/local/google/work/cb/src/out/libfuzzer/template_url_parser_fuzzer+0x59064e)
    #23 0x7f6d77efef44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
0xe3,0x55,0x72,0x6c,0xa7,0x3c,0x49,0x6d,0x61,0x67,0x65,0x3a,0x4f,0x70,0x65,0x6e,0x53,0x65,0x61,0x72,0x63,0x68,0x44,0x65,0x73,0x63,0x72,0x69,0x70,0x74,0x69,0x6f,0x6e,0x3e,0x61,0x72,0x63,0x68,0x50,0x75,0x3b,0x21,0x3c,0x51,0x67,0x53,0x68,0x3a,0x53,0x68,0x6f,0x72,0x74,0x4e,0x61,0x6d,0x65,0x2f,0x3e,0x3b,0x28,0x3b,0x4f,0x70,0x65,0x6e,0xb8,0x53,0x68,0x29,0x6f,0xa,0x53,0x28,0x21,0x3c,0x55,0x72,0x53,0x68,0x6f,0x72,0x74,0x4e,0x6c,0x4f,0x50,0xef,0xa9,0xa3,0x3a,0x53,0x50,0x61,0x72,0x61,0x6d,0x4f,0x70,0x28,0xe3,0x3b,0xe8,0x3a,0xb7,0x3c,0x3a,0x55,0x72,0x6c,0x4f,0x50,0xef,0xa9,0xa3,0x6f,0x53,0x68,0x6f,0x72,0x74,0x4e,0x53,0x68,0x6f,0x72,0x55,0x72,0x6c,0x4f,0x50,0xef,0xa9,0xa3,0x6f,0x61,0x72,0x63,0x68,0x50,0x6c,0x75,0x67,0x53,0x3e,0x3b,0x28,0x21,0x3c,0x55,0x21,0x6c,0x4f,0x50,0xef,0xa9,0xa3,0x6f,0x1,0x29,0x38,0x72,0x53,0x8,0xd,0x6f,0x55,0x55,0x72,0x53,0x65,0x6c,0x4f,0x50,0x6e,0x53,0x65,0xef,0xa9,0xa3,0x6f,0x16,0x68,0x49,0x54,0x61,0x72,0x63,0x68,0x44,0x65,0x73,0x63,0x72,0x69,0xa3,
\xe3Url\xa7<Image:OpenSearchDescription>archPu;!<QgSh:ShortName/>;(;Open\xb8Sh)o\x0aS(!<UrShortNlOP\xef\xa9\xa3:SParamOp(\xe3;\xe8:\xb7<:UrlOP\xef\xa9\xa3oShortNShorUrlOP\xef\xa9\xa3oarchPlugS>;(!<U!lOP\xef\xa9\xa3o\x01)8rS\x08\x0doUUrSelOPnSe\xef\xa9\xa3o\x16hITarchDescri\xa3
artifact_prefix='./'; Test unit written to ./crash-9fb6d3b1eeb6dc1e42eccab57514cb33dea1af2d
Base64: 41VybKc8SW1hZ2U6T3BlblNlYXJjaERlc2NyaXB0aW9uPmFyY2hQdTshPFFnU2g6U2hvcnROYW1lLz47KDtPcGVuuFNoKW8KUyghPFVyU2hvcnRObE9Q76mjOlNQYXJhbU9wKOM76Dq3PDpVcmxPUO+po29TaG9ydE5TaG9yVXJsT1DvqaNvYXJjaFBsdWdTPjsoITxVIWxPUO+po28BKThyUwgNb1VVclNlbE9QblNl76mjbxZoSVRhcmNoRGVzY3Jpow==

crash-9fb6d3b1eeb6dc1e42eccab57514cb33dea1af2d
196 bytes View Download

Project Member

Comment 2 by bugdroid1@chromium.org, Mar 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/588a32ac7a5824a30aea437bf85a1f7615dfcbc3

commit 588a32ac7a5824a30aea437bf85a1f7615dfcbc3
Author: dominicc <dominicc@chromium.org>
Date: Mon Mar 27 09:06:28 2017

Add a fuzzer for TemplateURLParser/Open Search Descriptions.

BUG= 625746 

Review-Url: https://codereview.chromium.org/2123733002
Cr-Commit-Position: refs/heads/master@{#459727}

[modify] https://crrev.com/588a32ac7a5824a30aea437bf85a1f7615dfcbc3/testing/libfuzzer/fuzzers/BUILD.gn
[add] https://crrev.com/588a32ac7a5824a30aea437bf85a1f7615dfcbc3/testing/libfuzzer/fuzzers/template_url_parser_fuzzer.cc

Comment 3 by kochi@chromium.org, Jan 15 2018

Status: Fixed (was: Started)

Looks like the initial patch landed, and the owner is no longer active.
Closing as Fixed.

Project Member

Comment 4 by sheriffbot@chromium.org, Jan 15 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 5 by sheriffbot@chromium.org, Apr 23 2018

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 625746 link

Issue metadata

Add a fuzzer for TemplateURLParser

Issue description

Comment 1 by dominicc@chromium.org, Jul 8 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Mar 27 2017

Comment 2 Deleted

Comment 3 by kochi@chromium.org, Jan 15 2018

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Jan 15 2018

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Apr 23 2018

Comment 5 Deleted

Sign in to add a comment