Issue 643726 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	rsesek@chromium.org
Closed:	Sep 2016
Cc:	rsesek@chromium.org vakh@chromium.org mac-bugs-priority@chromium.org
Components:	Services>Safebrowsing
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	1
Type:	Bug-Security
Reproducible SafeBrowsing-Triaged Stability-Memory-AddressSanitizer M-53 Security_Impact-Stable Security_Severity-Medium Stability-Libfuzzer allpublic Clusterfuzz

Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData

Project Member Reported by ClusterFuzz, Sep 2 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6166426824212480

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x619000001d80
Crash State:
  safe_browsing::dmg::UDIFBlock::ParseBlockData
  safe_browsing::dmg::UDIFParser::ParseBlkx
  start
  
Recommended Security Severity: Medium


Minimized Testcase (8.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Ixo5IzyVZvPzBo7R8HkIoalK8kKrak8yJhO3BGh3k9vNvoJ0h-XUHfLako3WwRCch9LouZmotE1w1Vp9hpbC2WxWlln9afq8nm4tpy_Rl6uvwtzsGS7TG7ifljMQ2XGHSJPBqAfh-0-cFr6Nce9EYT3uKTg?testcase_id=6166426824212480

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by vakh@chromium.org, Sep 2 2016

Components: Services>Safebrowsing
Labels: SafeBrowsing-Triaged
Owner: rsesek@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by infe...@chromium.org, Sep 2 2016

Cc: rsesek@chromium.org

 Issue 643436  has been merged into this issue.

Project Member

Comment 3 by sheriffbot@chromium.org, Sep 3 2016

Labels: M-53

Project Member

Comment 4 by sheriffbot@chromium.org, Sep 3 2016

Labels: Pri-1

Project Member

Comment 5 by bugdroid1@chromium.org, Sep 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5a29d68e849e2beb122b1ade3a53527a3db04186

commit 5a29d68e849e2beb122b1ade3a53527a3db04186
Author: rsesek <rsesek@chromium.org>
Date: Tue Sep 06 21:21:22 2016

Validate that UDIFBlock data length matches the size and reported number of chunks.

BUG= 643726 
R=nparker@chromium.org

Review-Url: https://codereview.chromium.org/2314883002
Cr-Commit-Position: refs/heads/master@{#416732}

[modify] https://crrev.com/5a29d68e849e2beb122b1ade3a53527a3db04186/chrome/utility/BUILD.gn
[modify] https://crrev.com/5a29d68e849e2beb122b1ade3a53527a3db04186/chrome/utility/safe_browsing/mac/udif.cc

Comment 6 by rsesek@chromium.org, Sep 7 2016

Status: Fixed (was: Assigned)

Project Member

Comment 7 by sheriffbot@chromium.org, Sep 8 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 8 by sheriffbot@chromium.org, Dec 15 2016

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 643726 link

Issue metadata

Heap-buffer-overflow in safe_browsing::dmg::UDIFBlock::ParseBlockData

Issue description

Comment 1 by vakh@chromium.org, Sep 2 2016

Comment 1 Deleted

Comment 2 by infe...@chromium.org, Sep 2 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Sep 3 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Sep 3 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Sep 6 2016

Comment 5 Deleted

Comment 6 by rsesek@chromium.org, Sep 7 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Sep 8 2016

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Dec 15 2016

Comment 8 Deleted

Sign in to add a comment