Issue metadata
Sign in to add a comment
|
dcheck in json_parser.cc |
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Steps to reproduce the problem:
Run:
#include "base/json/json_reader.h"
base::JSONReader::Read("{\"\\x-53\"}");
Receive:
[1022/045550:FATAL:json_parser.cc(318)] Check failed: static_cast<unsigned char>(c) < 128 (� vs. 128)
What is the expected behavior?
What went wrong?
This check appears to be intended to ensure the string is 8-bit clean, but the testcase shows how to bypass that. I don't know whether this can be exploited to cause further problems.
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? No
Did this work before? N/A
Chrome version: 54.0.2840.71 Channel: n/a
OS Version:
Flash Version: Shockwave Flash 23.0 r0
It think the bug was introduced in https://chromium.googlesource.com/chromium/src/+/6e680cfca66d0461f2824ccb5128e4f9cbb20bb6 .
,
Nov 14 2016
+lhchavez@ to merge to Chrome OS' libchrome once this is fixed.
,
Nov 14 2016
,
Nov 14 2016
What version of the code are you using? Pretty sure this was fixed by https://codereview.chromium.org/2321683003.
,
Nov 14 2016
54.0.2840.71 = branched at 1ae106dbab4b = {#414607}
https://codereview.chromium.org/2321683003 landed at 617caed52b42 = {#417121}
nlewycky, can you test with Chrome Beta, which is currently version 55? It should be fixed there.
,
Nov 14 2016
I was testing in ChromeOS with the 'whirlwind' board. I don't know how to check this against chrome the browser. I did patch in https://codereview.chromium.org/2321683003 locally and it fixes the problem.
,
Nov 14 2016
Great, then marking this as a dupe. Fix will roll out shortly to stable. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by lhchavez@chromium.org
, Nov 14 2016Status: Available (was: Unconfirmed)