Issue metadata
Sign in to add a comment
|
Heap-use-after-free in pp::MacroExpander::expandMacro |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5881269835792384 Fuzzer: afl_translator_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60d000001418 Crash State: pp::MacroExpander::expandMacro pp::MacroExpander::pushMacro pp::MacroExpander::lex Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=419085:419121 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WlPuLfM3HtRaMML7SN8Q6DbZiDKThcb2-lzx1eguwYnbBMKXl41O5IHAdsmSbBdqmBSvzo2MAkPw3s9ftK1r2D7NxXsFy7ZxXdQhS7y6n5e0HU51IEVVA_VrWf7xAEADKifwwKauVzvWpBsvSSR6IZBiQdQ?testcase_id=5881269835792384 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2016
,
Sep 19 2016
,
Sep 19 2016
,
Sep 19 2016
A CL is up for review https://chromium-review.googlesource.com/#/c/386853/
,
Sep 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/d2f195b5a4b266be817193ed004c26535a32723a commit d2f195b5a4b266be817193ed004c26535a32723a Author: Corentin Wallez <cwallez@chromium.org> Date: Mon Sep 19 19:53:33 2016 preprocessor: Fix use after free when #undef the macro being invoked BUG= chromium:648031 BUG= angleproject:1522 Change-Id: I825cea9e736a2c99133408249cfcd525431d31de Reviewed-on: https://chromium-review.googlesource.com/386853 Commit-Queue: Corentin Wallez <cwallez@chromium.org> Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org> [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/compiler/preprocessor/MacroExpander.cpp [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/compiler/preprocessor/DirectiveParser.cpp [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/tests/preprocessor_tests/define_test.cpp [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/compiler/preprocessor/Macro.h [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/compiler/preprocessor/DiagnosticsBase.cpp [modify] https://crrev.com/d2f195b5a4b266be817193ed004c26535a32723a/src/compiler/preprocessor/DiagnosticsBase.h
,
Sep 23 2016
ClusterFuzz has detected this issue as fixed in range 420217:420295. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5881269835792384 Fuzzer: afl_translator_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60d000001418 Crash State: pp::MacroExpander::expandMacro pp::MacroExpander::pushMacro pp::MacroExpander::lex Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=419085:419121 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=420217:420295 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WlPuLfM3HtRaMML7SN8Q6DbZiDKThcb2-lzx1eguwYnbBMKXl41O5IHAdsmSbBdqmBSvzo2MAkPw3s9ftK1r2D7NxXsFy7ZxXdQhS7y6n5e0HU51IEVVA_VrWf7xAEADKifwwKauVzvWpBsvSSR6IZBiQdQ?testcase_id=5881269835792384 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 23 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/86dc7effdd78ad7aacdaf3af7fb8eb7e380e9f64 commit 86dc7effdd78ad7aacdaf3af7fb8eb7e380e9f64 Author: cwallez <cwallez@chromium.org> Date: Fri Sep 23 21:21:19 2016 Roll ANGLE c287ea6..28a97ee https://chromium.googlesource.com/angle/angle.git/+log/c287ea6..28a97ee BUG= chromium:648031 , chromium:648135 , 648063 , 607283 , 645532 , chromium:648074 TBR=geofflang@chromium.org TEST=bots CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Merge branch 'master' of https://chromium.googlesource.com/chromium/src fuzzers: add a fuzzer for the ANGLE shader translator BUG= angleproject:1522 Review-Url: https://codereview.chromium.org/2364873003 Cr-Commit-Position: refs/heads/master@{#420732} [modify] https://crrev.com/86dc7effdd78ad7aacdaf3af7fb8eb7e380e9f64/DEPS
,
Sep 24 2016
,
Oct 25 2016
,
Dec 31 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 18 2016