jbroman@, could you take a look?

Sure.

Urgh. I made a miscalculation about an invariant of varint encoding. This is doing something like this:

0x86 0x00

Which does decode to 6, even though that would normally just be written as "0x06".

Such malicious inputs wouldn't lead to anything bad (it just lets them write a rather weird wire format encoding), but it does fail the DCHECK. I'll make the envelope check verify that there are non-zero high bits in the alleged version number.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43c2760715bdba5d474b1f0537244de8c7680ab6

commit 43c2760715bdba5d474b1f0537244de8c7680ab6
Author: jbroman <jbroman@chromium.org>
Date: Fri Mar 03 02:17:23 2017

Move the full Blink version envelope reading logic into V8ScriptValueDeserializer.

Doing a proper varint decode ensures that the code to read the version from the
envelope and the code that detects the envelope agree.

The fuzzer detected that it was possible to encode a small version number
with a large number of bytes (with the leading one being 0x80). This corrects
that and adds a test for that case.

BUG= 697505 

Review-Url: https://codereview.chromium.org/2731533002
Cr-Commit-Position: refs/heads/master@{#454467}

[modify] https://crrev.com/43c2760715bdba5d474b1f0537244de8c7680ab6/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
[modify] https://crrev.com/43c2760715bdba5d474b1f0537244de8c7680ab6/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueSerializerTest.cpp

ClusterFuzz has detected this issue as fixed in range 454454:454481.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6491533651214336

Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e900007385
Crash State:
  base::debug::DebugBreak
  blink::V8ScriptValueDeserializer::deserialize
  blink::SerializedScriptValueForModulesFactory::deserialize
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=453120:453127
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=454454:454481

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv970ziQVUrpqAqLOmmaoGAkdauTQ4fRAm31Ijhj4kGHJ_FcOL8xFbTzp-FAPAacQy3pawWyd_4otsPiPjgWBXc1NuNjUGDzJ_q2-4jJ7uSFsUrk9v8G-Bb-t2i4zXZ23Xw0MVD17EripMBjwK09bW-DlrQaMutOYRuIj3AoeznY7FbSUD6w8IkvgFyY7FGL-F5JlPUy961q5Qd_5OUaqIzsDnppUGmRrw4brRGo2Qjifk5sZdMntKNBa2Q51t7Po5zjibJzPtnXNVqy_gO8fOQYTN3bv1CH8rvtiw-IHcHtUaW6etEMwh_cmhTBfVjXxsBQ7hziQ2sM62SELzn3jhzF0UrKD0GuJ4o_uCn-w1zcqIAZ9t68?testcase_id=6491533651214336


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6491533651214336 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.