0 <= size in factory.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5214062483079168 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 0 <= size in factory.cc Regressed: V8: r37931:37932 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv971ebwfdmz8aRjKAJPWVCOcWO4gBg0tedH605mOsWsCz2GCc2cQVQlCfM7RtT5GGcmnLZgEmtYkvlVx4JqpKgYipefUMu6FPnkKDtdphNaJ0K4dkmJXDfpJrnSFrvGE60vkCNuvC6m-X3hLaIKBUJqz4slm_g?testcase_id=5214062483079168 v1 = 2147483647; var v6 = {}; v9 = new Uint8ClampedArray(v1); v11 = new Intl.DateTimeFormat(v6, v9); v21 = JSON.stringify(v9); Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
Nothing but a OOM in disguise, OOM is thrown in release-mode. Adding precheck in the FastKeyAccumulator to deal with too large input keys.
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/172bfb58345f9eefd804714f787cf2c4981b2eab commit 172bfb58345f9eefd804714f787cf2c4981b2eab Author: cbruni <cbruni@chromium.org> Date: Fri Aug 05 12:52:02 2016 [keys] Throw a range error if the number of keys overflow FixedArray::kMaxLength BUG= chromium:634776 Review-Url: https://codereview.chromium.org/2219803002 Cr-Commit-Position: refs/heads/master@{#38382} [modify] https://crrev.com/172bfb58345f9eefd804714f787cf2c4981b2eab/src/elements.cc [modify] https://crrev.com/172bfb58345f9eefd804714f787cf2c4981b2eab/src/elements.h [modify] https://crrev.com/172bfb58345f9eefd804714f787cf2c4981b2eab/src/keys.cc
,
Aug 6 2016
ClusterFuzz has detected this issue as fixed in range 38381:38382. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5214062483079168 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 0 <= size in factory.cc Regressed: V8: r37931:37932 Fixed: V8: r38381:38382 Minimized Testcase (0.13 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv971ebwfdmz8aRjKAJPWVCOcWO4gBg0tedH605mOsWsCz2GCc2cQVQlCfM7RtT5GGcmnLZgEmtYkvlVx4JqpKgYipefUMu6FPnkKDtdphNaJ0K4dkmJXDfpJrnSFrvGE60vkCNuvC6m-X3hLaIKBUJqz4slm_g?testcase_id=5214062483079168 v1 = 2147483647; var v6 = {}; v9 = new Uint8ClampedArray(v1); v11 = new Intl.DateTimeFormat(v6, v9); v21 = JSON.stringify(v9); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 6 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Aug 5 2016Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)