This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

cwallez: can you take a look at this please? The ClusterFuzz blame suggests oetuaho's https://chromium.googlesource.com/angle/angle.git/+/f1cf5e630910e9373237e5f47de7e6237cdd41ac as the cause of this.

The issue seems to be that MacroExpander stores a pointer to a Macro object that's stored inside an std::map. If the std::map moves its contents around in memory, use-after-free can happen through the pointer.

I think the issue existed before my patch, but a fairly quick fix should be possible. I'll work on it today.

I root caused the issue. It's actually not due to reordering the map, but happens when reenabling a macro is deferred to prevent infinite recursion of macro invocations and then the macro is undef'd. Reenabling a macro can refer to the memory that was freed on undef. It was my earlier patch to fix another crash bug that caused this issue:

https://chromium.googlesource.com/angle/angle/+/78b0c91daf16146034982fc3f7dd8d1ba90b3a0a

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/47c27e8292f810e300b9763d226f73870764a1fd

commit 47c27e8292f810e300b9763d226f73870764a1fd
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Tue Jan 17 15:29:35 2017

Manage preprocessor Macro objects with shared pointers

This ensures that pointers to Macros that are removed from the macro
set stay valid. Pointers to undef'd macros may need to be referred to
if reenabling the macros has been deferred.

BUG= chromium:681324 
TEST=angle_unittests

Change-Id: Ibbbabbcbd6b0a84254cda717ae63712e6d404ebd
Reviewed-on: https://chromium-review.googlesource.com/427948
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/compiler/preprocessor/MacroExpander.cpp
[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/compiler/preprocessor/MacroExpander.h
[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/compiler/preprocessor/Macro.cpp
[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/compiler/preprocessor/DirectiveParser.cpp
[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/tests/preprocessor_tests/define_test.cpp
[modify] https://crrev.com/47c27e8292f810e300b9763d226f73870764a1fd/src/compiler/preprocessor/Macro.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bfeb98a98d8495492d476d851b896fb09cf1a6ab

commit bfeb98a98d8495492d476d851b896fb09cf1a6ab
Author: geofflang <geofflang@chromium.org>
Date: Tue Jan 17 20:30:07 2017

Roll ANGLE 6a6b09c..47c27e8

https://chromium.googlesource.com/angle/angle.git/+log/6a6b09c..47c27e8

BUG= chromium:681324 

TBR=cwallez@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2640523002
Cr-Commit-Position: refs/heads/master@{#444125}

[modify] https://crrev.com/bfeb98a98d8495492d476d851b896fb09cf1a6ab/DEPS

ClusterFuzz has detected this issue as fixed in range 443963:443986.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4528111682322432

Fuzzer: afl_angle_translator_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x60d000000d79
Crash State:
  ~ScopedMacroReenabler
  pp::MacroExpander::collectMacroArgs
  pp::MacroExpander::expandMacro
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=434364:434390
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=443963:443986

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95NiIpkQMYi1THlsMKfeW61QiC28xYCfAiNoW2oXXZU3lXgN5K4_j4Xf_oD0zERSfKbFjzG0L1ZqC9j5-nY8jjQ-HN48ItN6omR3uWnuM5K8sCtz8WgvRyxWi6942L8XOHo_hN0SEsAMZlVDtmDgjsC43G1scNKKS3P17iAyDdUL1C10KDdnG79XMgv9qrc3gNtT68kG7MTiltNFHiO5Wz0a2q5_I6sTFt9hd9KtYt4YZyOsjJ_GwdU7Ip9S_MVr2azABukwQ8pV47C887HYKr1i0NCRwE7daBJ0BIlJP6ioIrGPHYDIMWrERrqRiI6-BfA6ZWUccZHX44GiGkbR8lx3fQKK7V0m-IPqlb6cT_eAdi7K0c?testcase_id=4528111682322432
1���~tion:
varying float out0?M
#define AAA(a,bgl_MaxVary�_MaxVarying)
#defioat out0;

#define A�A�`(�
���efine BBB(Ca,ing t ;

#define a�A�efine !*A�(b,gl;M:~Vaqngi9)
#define BBB(Ca,b)	a-a(b,g'<b
void main()
{t0 = BBB()	a*((a,���(����������bb)	a-�a<b)	a*(BB>B(a,r))
#undef A?EFINE 1
#unADEFn


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4528111682322432 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot