These were incorrectly filed as security bugs, removing security tags.

Sorry this was incorrectly marked in mass update, this has security implications.

Looks like this is just a bug in the fuzzer:

      SSL_CTX_set1_curves(ctx, reinterpret_cast<const int *>(curves.data()),
                          curves.size());

should be:

      SSL_CTX_set1_curves(ctx, reinterpret_cast<const int *>(curves.data()),
                          curves.size() / sizeof(int));

I'll go fix that.

https://boringssl-review.googlesource.com/c/11840/

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/9415a14acf8ea9e84118f1b1ab1f0d97a3de1d19

commit 9415a14acf8ea9e84118f1b1ab1f0d97a3de1d19
Author: David Benjamin <davidben@google.com>
Date: Wed Oct 26 13:58:16 2016

Fix SSL_CTX_set1_curves fuzzer.

SSL_CTX_set1_curves was being called with the size of the input data in
bytes rather than in ints.

BUG= chromium:659361 

Change-Id: I90da1c6d60e92423c6b7d9efd744ae70ff589172
Reviewed-on: https://boringssl-review.googlesource.com/11840
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

[modify] https://crrev.com/9415a14acf8ea9e84118f1b1ab1f0d97a3de1d19/fuzz/ssl_ctx_api.cc

Fix should be picked up in the next BoringSSL roll.

(This doesn't have security impact. It was a bug in the fuzzer itself. The API in question also isn't used in Chromium and is not usually used with attacker-controlled input. Still good to fuzz such things, of course.)

 Issue 660514  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 428469:428574.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5795514852573184

Fuzzer: libfuzzer_boringssl_ssl_ctx_api_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-buffer-overflow READ 4
Crash Address: 0x7f55cb34e439
Crash State:
  tls1_set_curves
  SSL_CTX_set1_curves
  $_32::operator
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=426164:426214
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=428469:428574

Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95CHTC-IrId4mKTYgAjhhVBrWvHIpvFo2Fv6LY9fvW97z-P_K2KoRjjma041q5an7yfvHptrhV-OPf3FRPVHPzRxWggs16vEFjUEbeuPwQbde9UQgGUXWBVFXQNcrlCnfxfGSAz7ju2ngkrGCJLug6mxul0Ug?testcase_id=5795514852573184

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot