Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in unibrow::Utf8::Validate |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5826035432292352 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x611000000da5 Crash State: unibrow::Utf8::Validate consume_string DecodeModule Recommended Security Severity: Medium Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oS3XM94zL5syL_Eu3Wj9OZx7jMc6qc4MnXCb0Jkyo1tvo1m2lURPLqsPYjapJmJGRkuwv3F8oyX0YfNQBnGFt_JKhGbZxatINDa9Rf_250DcWqlggzTi1oFSB_vv0dW147l6NEcIIZRGP9hLhpIZIk27UMQ?testcase_id=5826035432292352 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/1a5f8fa53665e7431124f6a9f4710d1bef8ae38b commit 1a5f8fa53665e7431124f6a9f4710d1bef8ae38b Author: ahaas <ahaas@chromium.org> Date: Tue Sep 06 09:50:12 2016 [wasm] Validate the length of strings before validating the string. BUG= chromium:644182 R=titzer@chromium.org TEST=module-decoder-unittest.cc:ExportNameWithInvalidStringLength Review-Url: https://codereview.chromium.org/2310023002 Cr-Commit-Position: refs/heads/master@{#39199} [modify] https://crrev.com/1a5f8fa53665e7431124f6a9f4710d1bef8ae38b/src/wasm/module-decoder.cc [modify] https://crrev.com/1a5f8fa53665e7431124f6a9f4710d1bef8ae38b/test/unittests/wasm/module-decoder-unittest.cc
,
Sep 6 2016
,
Sep 6 2016
,
Sep 8 2016
ClusterFuzz has detected this issue as fixed in range 416613:416621. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5826035432292352 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x611000000da5 Crash State: unibrow::Utf8::Validate consume_string DecodeModule Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=416613:416621 Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oS3XM94zL5syL_Eu3Wj9OZx7jMc6qc4MnXCb0Jkyo1tvo1m2lURPLqsPYjapJmJGRkuwv3F8oyX0YfNQBnGFt_JKhGbZxatINDa9Rf_250DcWqlggzTi1oFSB_vv0dW147l6NEcIIZRGP9hLhpIZIk27UMQ?testcase_id=5826035432292352 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 8 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 8 2016
,
Oct 10 2016
,
Nov 29 2016
,
Dec 15 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Sep 6 2016Components: Blink>JavaScript>WebAssembly
Labels: Pri-1
Owner: ahaas@chromium.org