New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 638570 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in AffixMgr::compound_check

Project Member Reported by ClusterFuzz, Aug 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4971720673067008

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AffixMgr::compound_check
  SuggestMgr::checkword
  SuggestMgr::testsug
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=401824:401851

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95AFOTFrNtOSU_mi7JYWm-eOYu5dQIjH0IWmFCDYSHYZKn7lHgRMTbpIZkIE3MJhHw2g8Qz9BGcQhVLZJvQ9LLu1Si-3NfNDYPzOKI-Dhe3LxvjGyjHbQuCZTM3VfCg7UmOtt1ICbDovC_OZC4CAn6ATuv_WQ?testcase_id=4971720673067008

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@chromium.org, Aug 17 2016

Cc: mmoroz@chromium.org rouslan@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: UI>Browser>Spellcheck
Labels: Pri-1
Owner: groby@chromium.org
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 17 2016

Labels: M-53
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 17 2016

Labels: ReleaseBlock-Stable
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 17 2016

Status: Assigned (was: Untriaged)

Comment 5 by gov...@chromium.org, Aug 18 2016

Cc: awhalley@chromium.org
Please try to resolve this ASAP as we're very close to M53 Stable promotion. Please request a merge to M53 branch 2785 once change is landed/baked/verified in Canary. Thank you.

Comment 6 by groby@chromium.org, Aug 18 2016

Labels: -Pri-1 -ReleaseBlock-Stable Pri-2
This is due to a mistake in the setup of the clusterfuzz test - this is a false positive, moving to P2, removing RBS

Fix for the test is WIP at https://codereview.chromium.org/2223603002/
Project Member

Comment 7 by sheriffbot@chromium.org, Aug 19 2016

Labels: ReleaseBlock-Stable
Labels: -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-None
Changed to Security_Impact-None to stop sheriffbot reapplying labels.
Project Member

Comment 9 by ClusterFuzz, Aug 27 2016

ClusterFuzz has detected this issue as fixed in range 414856:414881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4971720673067008

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AffixMgr::compound_check
  SuggestMgr::checkword
  SuggestMgr::testsug
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=401824:401851
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=414856:414881

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95AFOTFrNtOSU_mi7JYWm-eOYu5dQIjH0IWmFCDYSHYZKn7lHgRMTbpIZkIE3MJhHw2g8Qz9BGcQhVLZJvQ9LLu1Si-3NfNDYPzOKI-Dhe3LxvjGyjHbQuCZTM3VfCg7UmOtt1ICbDovC_OZC4CAn6ATuv_WQ?testcase_id=4971720673067008

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 27 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 28 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 12 by sheriffbot@chromium.org, Dec 3 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck

Sign in to add a comment