tzik@, could you please take a look or suggest another owner? You are pretty active on the blame list.

I think WebAXObject::characterOffsets returns an empty vector, and BoundsForCharacters uses it without boundary check.

dmazzoni: Could you handle this?

dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

https://codereview.chromium.org/2297243002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1c7b9c439b6a0437e724d5a22311f81287d74a21

commit 1c7b9c439b6a0437e724d5a22311f81287d74a21
Author: dmazzoni <dmazzoni@chromium.org>
Date: Thu Sep 01 21:44:57 2016

Don't crash if WebAXObject::characterOffsets doesn't return any bounds.

This is just a fix in the test_runner, it had a DCHECK if we requested
character bounds for an element that wasn't able to return any, but
clusterfuzz treated that as a crash.

BUG= 638220 

Review-Url: https://codereview.chromium.org/2297243002
Cr-Commit-Position: refs/heads/master@{#416068}

[modify] https://crrev.com/1c7b9c439b6a0437e724d5a22311f81287d74a21/components/test_runner/web_ax_object_proxy.cc

ClusterFuzz has detected this issue as fixed in range 415934:416243.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6675273649225728

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x61600051f88c
Crash State:
  test_runner::BoundsForCharacter
  test_runner::WebAXObjectProxy::BoundsForRange
  base::internal::Invoker<base::internal::BindState<std::__1::basic_string<char, s
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=415934:416243

Minimized Testcase (0.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QfybfDSF645CZi5Al5mDFdycDp4aPAo030kMiCL6uhBXoQ_Qxk3meKTBuTPU27f4A9QRwazqMS4tL_pPem41xqO_2GoDDrBuBRhox9OskqhOHYUsHWhXTbBylYt_re0Ob7WVWSdBdrD-71A-2Fg3c1VgPcg?testcase_id=6675273649225728

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot