Issue metadata
Sign in to add a comment
|
LangFuzz Chrome Crashes.
Reported by
mishra.d...@gmail.com,
Jan 22 2017
|
||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Steps to reproduce the problem:
Vulnerability Details :
Most likely due to Memory Corruption.
Version :
Google Chrome 55.0.2883.87 (Official Build) m (64-bit)
OS : Windows 7
Crash ID :
ad244739-2b89-45b1-81dd-b7edf7bea09a
What is the expected behavior?
What went wrong?
Testcase :
<html><head><title></title>
<script type="text/javascript">
while (true) try {
var object = { };
function g(f0) {
var f0 = (object instanceof encodeURI)('foo');
}
g(75);
} catch (g) { }
</script>
</head></html>
OR visit
http://hackies.in/gc.html
Chrome gives a Aww Snap Page.
Did this work before? N/A
Chrome version: 55.0.2883.87 (Official Build) m (64-bit) Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0
,
Jan 23 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6308102694764544
,
Jan 23 2017
This doesn't repro on Mac on m55 -- It just locks up the page and I get the prompt that the page is wedged. It doesn't appear to be an OOM issue on Mac. I'll try it on CF on Windows.
,
Jan 24 2017
The report ID from comment 1 looks like a hang rather than an actual crash, which is consistent with comment 3. I'm unsure of what's going on, but I don't see anything to suggest memory corruption. You may want to try fuzzing with an AddressSanitizer build, which is instrumented to detect most common memory corruption issues. See https://commondatastorage.googleapis.com/chromium-browser-asan/index.html for prebuilt binaries and https://dev.chromium.org/developers/testing/addresssanitizer for more information. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mishra.d...@gmail.com
, Jan 22 2017