Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in __RT_impl_Runtime_TypedArraySortFast |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4613217012940800 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x622000002c89 Crash State: __RT_impl_Runtime_TypedArraySortFast v8::internal::Runtime_TypedArraySortFast v8::internal::Invoke Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94gxV8Oiifs-MqnmUOwuko57yt7uVFxQblYM9Cef_Dz15efgNXZvuCnY_Bf5ye1EUCtoPRePKldcqbbhGOG9wRl9odqkIjy5H4_-xk3GPQiKFfhyyS0FhTMCc02U6DyeGDWLrlmkPSiofcgsfZPG_ywSTkvTzdZl6ZxkC5gZkzp8PNJDWTI8dScTYKCpRlIKTedLanQFfGSjTWY1IMHXXzb6nGa1rFrISwXoRuVLEcT1_Oy3x765jys-PGq1hFamCaduMO9s-ZFhlQpFkTVtPpEPmbJ-Gw7sBZMGrPqm5xFUsrfeAqdgAV_jOJ9NONV7FgvRGk_8f2FfQzAw5zrB9bBs8upT_-81IPyl9nyv4E-svQ80aI?testcase_id=4613217012940800 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 27 2017
This is crashing in the new, fast, C++ code for sorting typed arrays. It reproduces in debug mode on ToT. Peter, can you take a look, since you reviewed the patch that introduced this code?
,
Feb 27 2017
,
Feb 27 2017
working on it: https://chromium-review.googlesource.com/c/447036/
,
Feb 27 2017
,
Feb 27 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 27 2017
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 43445:43446. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4613217012940800 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x622000002c89 Crash State: __RT_impl_Runtime_TypedArraySortFast v8::internal::Runtime_TypedArraySortFast v8::internal::Invoke Sanitizer: address (ASAN) Recommended Security Severity: Medium Fixed: V8: 43445:43446 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94gxV8Oiifs-MqnmUOwuko57yt7uVFxQblYM9Cef_Dz15efgNXZvuCnY_Bf5ye1EUCtoPRePKldcqbbhGOG9wRl9odqkIjy5H4_-xk3GPQiKFfhyyS0FhTMCc02U6DyeGDWLrlmkPSiofcgsfZPG_ywSTkvTzdZl6ZxkC5gZkzp8PNJDWTI8dScTYKCpRlIKTedLanQFfGSjTWY1IMHXXzb6nGa1rFrISwXoRuVLEcT1_Oy3x765jys-PGq1hFamCaduMO9s-ZFhlQpFkTVtPpEPmbJ-Gw7sBZMGrPqm5xFUsrfeAqdgAV_jOJ9NONV7FgvRGk_8f2FfQzAw5zrB9bBs8upT_-81IPyl9nyv4E-svQ80aI?testcase_id=4613217012940800 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz testcase 5546830428635136 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 1 2017
,
Mar 8 2017
,
Mar 9 2017
,
Jun 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Feb 27 2017