Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unable to find the possible suspect using CL and Find it.
Using Code Search for the file, "safe_browsing_dmg_fuzzer" assigning to the concern owner.

Suspecting the Commit#
https://chromium.googlesource.com/chromium/src/+/1cb270778f6337af7b5b61e70b9d78d99b2e8877

@mmoroz -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

That's interesting. 4GB+ to process ~8 KB input.

rsesek@, as an author of the fuzzer, would you mind helping to triage this?

Known-issue, just with a different CF signature (tangentially: this report is kinda crummy from clusterfuzz -- no stack trace available, had to check this locally).

* thread #1: tid = 0x33ce6c, 0x0000000100010818 crdmg`std::__1::__split_buffer<unsigned char, std::__1::allocator<unsigned char>&>::__construct_at_end(this=0x00007fff5fbfc688, __n=265807963903) + 56 at __split_buffer:203, stop reason = signal SIGSTOP
    frame #0: 0x0000000100010818 crdmg`std::__1::__split_buffer<unsigned char, std::__1::allocator<unsigned char>&>::__construct_at_end(this=0x00007fff5fbfc688, __n=265807963903) + 56 at __split_buffer:203
   200 	    __alloc_rr& __a = this->__alloc();
   201 	    do
   202 	    {
-> 203 	        __alloc_traits::construct(__a, _VSTD::__to_raw_pointer(this->__end_));
   204 	        ++this->__end_;
   205 	        --__n;
   206 	    } while (__n > 0);
(lldb) bt
* thread #1: tid = 0x33ce6c, 0x0000000100010818 crdmg`std::__1::__split_buffer<unsigned char, std::__1::allocator<unsigned char>&>::__construct_at_end(this=0x00007fff5fbfc688, __n=265807963903) + 56 at __split_buffer:203, stop reason = signal SIGSTOP
  * frame #0: 0x0000000100010818 crdmg`std::__1::__split_buffer<unsigned char, std::__1::allocator<unsigned char>&>::__construct_at_end(this=0x00007fff5fbfc688, __n=265807963903) + 56 at __split_buffer:203
    frame #1: 0x000000010001064b crdmg`std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::__append(this=0x0000000100b0a628 size=0, __n=274877906944) + 667 at vector:1034
    frame #2: 0x0000000100008ec7 crdmg`std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::resize(this=0x0000000100b0a628 size=0, __sz=274877906944) + 119 at vector:1990
    frame #3: 0x000000010001fe3a crdmg`safe_browsing::dmg::(anonymous namespace)::UDIFBlockChunkReadStream::HandleBZ2(this=0x0000000100b0a600, buffer="", buffer_size=512, bytes_read=0x00007fff5fbfce88) + 442 at udif.cc:836
    frame #4: 0x000000010001f0ab crdmg`safe_browsing::dmg::(anonymous namespace)::UDIFBlockChunkReadStream::Read(this=0x0000000100b0a600, buffer="", buffer_size=512, bytes_read=0x00007fff5fbfce88) + 507 at udif.cc:722
    frame #5: 0x000000010001de2f crdmg`safe_browsing::dmg::(anonymous namespace)::UDIFPartitionReadStream::Read(this=0x0000000100b08190, buffer="", buffer_size=512, bytes_read=0x00007fff5fbfd140) + 959 at udif.cc:605
    frame #6: 0x00000001000154da crdmg`safe_browsing::dmg::ReadStream::ReadExact(this=0x0000000100b08190, data="", size=512) + 90 at read_stream.cc:20
    frame #7: 0x0000000100004fe4 crdmg`bool safe_browsing::dmg::ReadStream::ReadType<HFSPlusVolumeHeader>(this=0x0000000100b08190, t=0x00007fff5fbff638) + 36 at read_stream.h:33
    frame #8: 0x0000000100004daf crdmg`safe_browsing::dmg::HFSIterator::Open(this=0x00007fff5fbff630) + 111 at hfs.cc:236
    frame #9: 0x0000000100002524 crdmg`(anonymous namespace)::SafeDMG::ParseDMG(this=0x00007fff5fbffa40) + 1524 at crdmg.cc:189
    frame #10: 0x0000000100000c95 crdmg`(anonymous namespace)::SafeDMG::Main(this=0x00007fff5fbffa40, argc=2, argv=0x00007fff5fbffaa0) + 613 at crdmg.cc:102
    frame #11: 0x00000001000009d0 crdmg`main(argc=2, argv=0x00007fff5fbffaa0) + 64 at crdmg.cc:262
    frame #12: 0x00007fff9a25f5ad libdyld.dylib`start + 1
(lldb) fr sel 3
frame #3: 0x000000010001fe3a crdmg`safe_browsing::dmg::(anonymous namespace)::UDIFBlockChunkReadStream::HandleBZ2(this=0x0000000100b0a600, buffer="", buffer_size=512, bytes_read=0x00007fff5fbfce88) + 442 at udif.cc:836
   833 	      return false;
   834 	    }
   835 	
-> 836 	    decompress_buffer_.resize(length_in_bytes_);
   837 	    bz.next_in = reinterpret_cast<char*>(&compressed_data[0]);
   838 	    bz.avail_in = compressed_data.size();
   839 	    bz.next_out = reinterpret_cast<char*>(&decompress_buffer_[0]);
(lldb) p *this
(safe_browsing::dmg::(anonymous namespace)::UDIFBlockChunkReadStream) $1 = {
  stream_ = 0x00007fff5fbfe620
  chunk_ = 0x0000000100a00420
  length_in_bytes_ = 274877906944
  offset_ = 1024
  decompress_buffer_ = size=0 {}
  did_decompress_ = false
}

length_in_bytes_ is yuuuuge, and we try and decompress that all in one go. In order to do that, we of course allocate a buffer for length_in_bytes_, and that fails.

ClusterFuzz has detected this issue as fixed in range 464021:464042.

Detailed report: https://clusterfuzz.com/testcase?key=5323873564491776

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  safe_browsing_dmg_fuzzer
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=464021:464042

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94Z0LCV1yZlXiTmHPkxOlazS2A8YVSRpQf_DIYWhgqTn-PkXBrjNq3z9dDRoyYWEUuTkcQ-Ry_Nhtr-iSmyJm7iX5TdLmcxqHvdxCMDM5_JEKPNfULxHAJOLqE_btSjLlvKiW4qGL_KXGmTsjRwU-KuSogHaSaAArQdc8jGA4izfIac8MkMxj3cOKZkBbxf0USKGZ0OeMQdvsPaPQFF7u8U-GCHbZmMCgRtrQTZITPvORDut_wXjIIT0YdLv73KL5tPaJtIlHSqvOo3ZolKsMe0ioqHGkv5OGy0DGi4zl9kM_0zSeb04c7380ynu5TKfcOi9jwLKhWrodbhBjaMlU1tIflldndqcquAJTuzady-oUNfnPM?testcase_id=5323873564491776


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.