Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in base::internal::JSONParser |
||||||||||||||||||||
Issue descriptionThere are currently multiple ways to trigger reads of uninitialized memory in base::JSONParser. A few of them were addressed in http://crbug.com/688086 , but not all of them. For example, inputs '/', '//', '/*' and '"\' trigger this behavior, which can be verified with an asan build. These can be fixed by adding appropriate checks to |JSONParser::EatComment| and |JSONParser::ConsumeStringRaw|, but there might be even more inputs triggering this.
,
Mar 6 2017
,
Mar 6 2017
Updating the severity and impact based on the linked bug. Please feel free to change as suitable.
,
Mar 7 2017
,
Mar 21 2017
rsesek: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 4 2017
rsesek: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 28 2017
,
May 2 2017
,
May 8 2017
,
May 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/20abc56a850ed875b6be6d5ed2f8eeafeca5371a commit 20abc56a850ed875b6be6d5ed2f8eeafeca5371a Author: rsesek <rsesek@chromium.org> Date: Wed May 10 13:49:50 2017 Fix potential buffer over-read errors for un-terminated JSON strings and comments. BUG= 698693 TEST=base_unittests --gtest_filter=JSON* under MSan Review-Url: https://codereview.chromium.org/2859513002 Cr-Commit-Position: refs/heads/master@{#470555} [modify] https://crrev.com/20abc56a850ed875b6be6d5ed2f8eeafeca5371a/base/json/json_parser.cc [modify] https://crrev.com/20abc56a850ed875b6be6d5ed2f8eeafeca5371a/base/json/json_parser_unittest.cc [modify] https://crrev.com/20abc56a850ed875b6be6d5ed2f8eeafeca5371a/extensions/utility/unpacker_unittest.cc
,
May 12 2017
Thanks! Any more changes expected or can we mark this as fixed?
,
May 12 2017
,
May 13 2017
,
May 14 2017
,
May 14 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 15 2017
Please merge your change to M59 branch 3071 by 4:00 PM PT, Monday (05/15) so we can take it in for next week beta release. Thank you.
,
May 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2ecb7c68c9b0b1390daa3b3dd77c881152389685 commit 2ecb7c68c9b0b1390daa3b3dd77c881152389685 Author: Robert Sesek <rsesek@chromium.org> Date: Mon May 15 15:34:15 2017 Fix potential buffer over-read errors for un-terminated JSON strings and comments. BUG= 698693 TEST=base_unittests --gtest_filter=JSON* under MSan TBR=rsesek@chromium.org (cherry picked from commit 20abc56a850ed875b6be6d5ed2f8eeafeca5371a) Review-Url: https://codereview.chromium.org/2859513002 Cr-Original-Commit-Position: refs/heads/master@{#470555} Change-Id: Id47532320dc723a23d4ee0048fb83df9d278a5e1 Reviewed-on: https://chromium-review.googlesource.com/505573 Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/branch-heads/3071@{#552} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/2ecb7c68c9b0b1390daa3b3dd77c881152389685/base/json/json_parser.cc [modify] https://crrev.com/2ecb7c68c9b0b1390daa3b3dd77c881152389685/base/json/json_parser_unittest.cc [modify] https://crrev.com/2ecb7c68c9b0b1390daa3b3dd77c881152389685/extensions/utility/unpacker_unittest.cc
,
May 16 2017
,
Aug 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 6 2017