New issue
Advanced search Search tips

Issue 640857 link

Starred by 1 user
Status: Fixed
Owner:
thakis@chromium.org
Closed: Aug 2016
Cc:
dpranke@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug



Sign in to add a comment

Container-overflow in Err::Err

Project Member Reported by ClusterFuzz, Aug 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5507269037129728

Fuzzer: afl_gn_parser_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Container-overflow READ {*}
Crash Address: 0x61700000fb28
Crash State:
  Err::Err
  Parser::ParseCondition
  Parser::ParseStatement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=414068:414117

Minimized Testcase (0.04 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94HtfJmcO9wxsPA_88f-2Hmfz_0c-qBJEmKPtPgWc2mT5_U5fbA1h8sBBjelyXQegg5gEGt9t6A-IxDIaM0hYUzaBZbs1cMO8DuaE47uXJJYxR7uIitbIRJpGF5cne5scF91V3Say44x8QxzIrWK1PiD9REgw?testcase_id=5507269037129728
if(((((!QQQQQQQQQQQQQQQQQQQQQQQ!QQQ
else


Issue manually filed by: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by infe...@chromium.org, Aug 25 2016

Cc: dpranke@chromium.org
Labels: -Security_Severity-Low -Security_Impact-Head Security_Impact-None
Owner: thakis@chromium.org
Status: Assigned (was: Untriaged)
Thanks for adding this Nico. Please reassign as needed. Removing security impact labels.

Comment 2 by infe...@chromium.org, Aug 25 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-None Type-Bug
Removing security restrictions.

Comment 3 by thakis@chromium.org, Aug 25 2016

Labels: Build-Tools-GN

Comment 4 by thakis@chromium.org, Aug 25 2016

Status: Started (was: Assigned)
https://codereview.chromium.org/2282493002/
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 25 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5aba5ce9d5f3184b1e659c319e962c57274cbe03

commit 5aba5ce9d5f3184b1e659c319e962c57274cbe03
Author: thakis <thakis@chromium.org>
Date: Thu Aug 25 17:15:04 2016

gn: Don't do an out-of-bound access if a file ends after 'else'

BUG= 640857 

Review-Url: https://codereview.chromium.org/2282493002
Cr-Commit-Position: refs/heads/master@{#414461}

[modify] https://crrev.com/5aba5ce9d5f3184b1e659c319e962c57274cbe03/tools/gn/parser.cc
[modify] https://crrev.com/5aba5ce9d5f3184b1e659c319e962c57274cbe03/tools/gn/parser.h

Comment 6 by thakis@chromium.org, Aug 25 2016

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Aug 26 2016 

ClusterFuzz has detected this issue as fixed in range 414421:414515.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5507269037129728

Fuzzer: afl_gn_parser_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Container-overflow READ {*}
Crash Address: 0x61700000fb28
Crash State:
  Err::Err
  Parser::ParseCondition
  Parser::ParseStatement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=414068:414117
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=414421:414515

Minimized Testcase (0.04 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94HtfJmcO9wxsPA_88f-2Hmfz_0c-qBJEmKPtPgWc2mT5_U5fbA1h8sBBjelyXQegg5gEGt9t6A-IxDIaM0hYUzaBZbs1cMO8DuaE47uXJJYxR7uIitbIRJpGF5cne5scF91V3Say44x8QxzIrWK1PiD9REgw?testcase_id=5507269037129728
if(((((!QQQQQQQQQQQQQQQQQQQQQQQ!QQQ
else


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment