Issue 685606 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 682910
Owner:	----
Closed:	Jan 2017
Cc:	kouhei@chromium.org oilpan-reviews@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz M-58 Test-Predator-Wrong

count <= maxHeapObjectSize / sizeof(T) in HeapAllocator.h

Project Member Reported by ClusterFuzz, Jan 26 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004204901761024

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxHeapObjectSize / sizeof(T) in HeapAllocator.h
  blink::toImplArray<>
  blink::NavigatorPartialV8Internal::requestMediaKeySystemAccessMethodCallback
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=445525:445725

Minimized Testcase (19.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96C5n1FuehoOCBHJnMIr9kQN0fGT5ILaEn94GDRJlroS8cVcSkytTDQk8xcNkwp4j2ynRHI8J415nPdJ4QIMoVwbgUI84AuYkprgbwESQsGQTl9hVN4fN6zC1BmN3u0WWB8Lp8sStE66m8VpFpMGKgLWH2VKODK2zmwaRC9PRFY9EhoII2VlexBdNNNv9FzBwWE5HM-Ztr_jQOjw2C0TVrZpITX6gU_AFs3zW2736NuN49zARq9dreAWtrENEovyKPy8qcTVDzuLuWTk6lRnrR1JjtM7DUf_FE5NhMxOi9_txhxOFvd6puZeFZG1oJCuJAuZxyR1qHYlw-CfQDNeyW0SgBy6XnUwowqWKSI6LD1nrHRcb4?testcase_id=6004204901761024

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jan 27 2017

Cc: oilpan-reviews@chromium.org kouhei@chromium.org
Labels: Test-Predator-Wrong M-58

Comment 2 by peria@chromium.org, Jan 27 2017

Mergedinto: 682910
Status: Duplicate (was: Untriaged)

Project Member

Comment 3 by ClusterFuzz, Feb 2 2017

ClusterFuzz has detected this issue as fixed in range 447304:447472.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004204901761024

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= maxHeapObjectSize / sizeof(T) in HeapAllocator.h
  blink::toImplArray<>
  blink::NavigatorPartialV8Internal::requestMediaKeySystemAccessMethodCallback
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=445525:445725
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=447304:447472

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96C5n1FuehoOCBHJnMIr9kQN0fGT5ILaEn94GDRJlroS8cVcSkytTDQk8xcNkwp4j2ynRHI8J415nPdJ4QIMoVwbgUI84AuYkprgbwESQsGQTl9hVN4fN6zC1BmN3u0WWB8Lp8sStE66m8VpFpMGKgLWH2VKODK2zmwaRC9PRFY9EhoII2VlexBdNNNv9FzBwWE5HM-Ztr_jQOjw2C0TVrZpITX6gU_AFs3zW2736NuN49zARq9dreAWtrENEovyKPy8qcTVDzuLuWTk6lRnrR1JjtM7DUf_FE5NhMxOi9_txhxOFvd6puZeFZG1oJCuJAuZxyR1qHYlw-CfQDNeyW0SgBy6XnUwowqWKSI6LD1nrHRcb4?testcase_id=6004204901761024


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 685606 link

Issue metadata

count <= maxHeapObjectSize / sizeof(T) in HeapAllocator.h

Issue description

Comment 1 by mummare...@chromium.org, Jan 27 2017

Comment 1 Deleted

Comment 2 by peria@chromium.org, Jan 27 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, Feb 2 2017

Comment 3 Deleted

Sign in to add a comment