New issue
Advanced search Search tips

Issue 639827 link

Starred by 1 user
Status: Fixed
Owner:
csharrison@chromium.org
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

FuzzedDataProvider should vend copied std::strings instead of StringPieces

Project Member Reported by csharrison@chromium.org, Aug 22 2016 
With a StringPiece API, consumers can buffer overflow into an adjacent piece, and ASAN won't catch it. If instead we return std::strings this will be caught by our sanitizers.

Note: this change will enable us to write a header only implementation of the FuzzedDataProvider.

A few points:
 - We may need to test that this doesn't regress existing consumers.
 - Look into whether or not we should remove the FuzzedDataProvider in blink platform.
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 19 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/987cf79c0d88104a3d491760b1b3b3294bb1d80a

commit 987cf79c0d88104a3d491760b1b3b3294bb1d80a
Author: csharrison <csharrison@chromium.org>
Date: Wed Oct 19 22:37:08 2016

Make FuzzedDataProvider vend std::strings

This patch also updates all consumers to use the new API.

This will help ASAN catch a broader class of problems in terms of accessing
data outside of the returned buffer.

BUG= 639827 

Review-Url: https://chromiumcodereview.appspot.com/2308443002
Cr-Commit-Position: refs/heads/master@{#426310}

[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/base/test/fuzzed_data_provider.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/base/test/fuzzed_data_provider.h
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/cert/internal/verify_name_match_fuzzer.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/cert/internal/verify_name_match_verifynameinsubtree_fuzzer.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/socket/fuzzed_socket.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/udp/fuzzed_datagram_client_socket.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/url_request/url_request_data_job_fuzzer.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/websockets/websocket_deflate_stream_fuzzer.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/net/websockets/websocket_frame_parser_fuzzer.cc
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/third_party/WebKit/Source/platform/testing/FuzzedDataProvider.cpp
[modify] https://crrev.com/987cf79c0d88104a3d491760b1b3b3294bb1d80a/third_party/sfntly/fuzzers/subset_font_fuzzer.cc

Comment 2 by csharrison@chromium.org, Oct 19 2016

Status: Fixed (was: Assigned)

Sign in to add a comment