This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This appears to be a bug in libfuzzer.

https://cs.chromium.org/chromium/src/third_party/libFuzzer/src/FuzzerTracePC.cpp?l=246

AddValueForStrcmp is called with n=64, so Len is 32. The loop appears to look for the first index where s1 and s2 differ. It terminates upon a null byte in s1, but does not consider null termination of s2.

ClusterFuzz has detected this issue as fixed in range 438777:438804.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6276378938048512

Fuzzer: libfuzzer_content_security_policy_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  base::trace_event::TraceLog::GetCategoryGroupEnabledInternal
  base::trace_event::TraceLog::GetCategoryGroupEnabled
  blink::UseCounter::recordMeasurement
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=430376:430431
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=438777:438804

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96CY2r1faiUgLqusc58N8ZmUjtsO-Mpp4pX0dnHPa4ZNDK-KSqZNObhKk--fBwf-Z8plFBBHOMQLWVuYycC-l5l9yZlsXc7-e62rYgcs7Ac-0tHGMLE1v_PCM_4srwFMgdq8H5xngKI9dVFs6Hsr4-e6-c5jw?testcase_id=6276378938048512
default-src 'self'


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6276378938048512 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.