rsesek @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

The problem is that length_in_bytes_ is pathologically large, and so this is actually just a failure to allocate.

(lldb) p *this
(safe_browsing::dmg::(anonymous namespace)::UDIFBlockChunkReadStream) $2 = {
  stream_ = 0x00007fff5fbfe5f0
  chunk_ = 0x0000000102900270
  length_in_bytes_ = 2286984186822656
  offset_ = 1024
  decompress_buffer_ = size=0 {}
  did_decompress_ = false
}
(lldb) p *chunk_
(const safe_browsing::dmg::UDIFBlockChunk) $4 = {
  type = 2147483654
  comment = 0
  start_sector = 0
  sector_count = 4466765989888
  compressed_offset = 0
  compressed_length = 1245
}

The problem is that in UDIFBlockChunkReadStream::HandleBZ2, we want to allocate the full decompress_buffer_ for the full length_in_bytes_.

ClusterFuzz has detected this issue as fixed in range 423384:423408.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6432518603800576

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000000
Crash State:
  HandleBZ2
  safe_browsing::dmg::UDIFBlockChunkReadStream::Read
  safe_browsing::dmg::UDIFPartitionReadStream::Read
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=416613:416614
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=423384:423408

Minimized Testcase (7.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96aX3_In-c-_Yv9AC1-4jbes_uGMtAdTXZ39QGgPvJ_oyTwHJxm7TQdcYHgokzsCxtRPj3Uc93FIm3-WiOI-kpGYQYv5_DwaVFQ-omxMF1xFRb4oBlFul7hpN8iOWwcDKuI--wHJ5sjiBntg-kGHMOUxjuJ8Q?testcase_id=6432518603800576

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 654942  has been merged into this issue.

 Issue 665268  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 637111  has been merged into this issue.

Bulk-WontFixing these bugs. This was a bug on ClusterFuzz side, see bug 717534. We will start seeing new testcases auto-filed in a day or two. We can't leave these open as ClusterFuzz won't autoverify them after ClusterFuzz-Wrong label.

ClusterFuzz testcase 4667373761331200 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.