Author: xunjieli
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d49eb584a73cb1d96cf1efb05ff839376340cfe1
Time: Tue Oct 25 14:25:17 2016
File sdch_source_stream.cc is changed in this cl (and is part of stack frame #6, "net::SdchSourceStream::FilterData")
Minimum distance from crash line to modified line: 17. (file: sdch_source_stream.cc, crashed on: 128, modified: 145).

Author: xunjieli
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/28a187760807a40049084627465be82a5d1e3118
Time: Tue Oct 25 15:30:06 2016
File sdch_policy_delegate.cc is changed in this cl (and is part of stack frame #5, "net::SdchPolicyDelegate::OnDictionaryIdError")
Minimum distance from crash line to modified line: 93. (file: sdch_policy_delegate.cc, crashed on: 309, modified: 402).

Suspected Project: chromium
Suspected Component: Internals>Network

Thanks! I will look into it asap.
cc-ing my reviewers so they know I am on it.

The problem here is that the fuzzer doesn't have a sdch manager. When SdchPolicyDelegate sees that the dictionary id is malformed, it tries to call sdch_manager_->BlacklistDomain(). However, sdch_manager_ is a null.

I looked at the original net::SdchFilter code, I don't see a difference -- It calls into url_request_context_->sdch_manager() without null check. Should we initialize the fuzzer with a sdch manager?

Ah, nvm. I see the difference now. I will upload a fix.

Proposed fix is in review https://codereview.chromium.org/2451233002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9a328c6cd891d02c535c997abd330a05e10e2398

commit 9a328c6cd891d02c535c997abd330a05e10e2398
Author: xunjieli <xunjieli@chromium.org>
Date: Wed Oct 26 21:38:24 2016

Make request fail with ERR_CONTENT_DECODING_INIT_FAILED if sdch is not supported

When server sends us a sdch encoded response, but we never
advertised sdch support, this CL makes SetUpSourceStream
return null so that the request is failed with
ERR_CONTENT_DECODING_INIT_FAILED.

This old behavior in net::Filter passes through the raw
content without generating an error.

BUG= 659363 

Review-Url: https://codereview.chromium.org/2451233002
Cr-Commit-Position: refs/heads/master@{#427815}

[modify] https://crrev.com/9a328c6cd891d02c535c997abd330a05e10e2398/net/filter/sdch_policy_delegate.cc
[modify] https://crrev.com/9a328c6cd891d02c535c997abd330a05e10e2398/net/url_request/url_request_http_job.cc
[modify] https://crrev.com/9a328c6cd891d02c535c997abd330a05e10e2398/net/url_request/url_request_http_job_unittest.cc

ClusterFuzz has detected this issue as fixed in range 427781:427848.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6249524000718848

Fuzzer: libfuzzer_net_url_request_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  net::SdchManager::SetAllowLatencyExperiment
  net::SdchManager::BlacklistDomain
  net::SdchPolicyDelegate::OnDictionaryIdError
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=427325:427378
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=427781:427848

Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96toWraK2oFVC-9B50p1qHFtHMNz6t4qKRp1NTbAH6P3iq9-3Cn8d4wDlZV5gmqmo9XM9rFvD4FYuVCXvN6DEvIVNE4bDSe1sBNWWyobA6i1rUT-9DLdDjNewah7PVNqDnbu6C6oe-U9bUHkh8h2b6iNPblAg?testcase_id=6249524000718848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot