Issue 699410 link

Starred by 3 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Mar 2017
Cc:	kojii@chromium.org drott@chromium.org
Components:	Blink>Fonts
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Stability-Libfuzzer Clusterfuzz M-59 Test-Predator-Wrong

i <= out_len + (len - idx)

Project Member Reported by ClusterFuzz, Mar 8 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5221177988743168

Fuzzer: libfuzzer_harfbuzz_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  i <= out_len + (len - idx)
  libpthread.so.0
  hb_buffer_t::move_to
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=455091:455226

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96noL06GbUqPCnkIZYTR2gGcU7wuNGkOr7spg0kJOkEAERSMfxkCVFTxgPhhvAzZ7ojcZ2jUE3BmcjeoF_GYSORTDkrFn39M8mK_qbfyGVCD6JJ_H8iddF13R_VPjvZTexe2KRTH3nAxv0Bsex_hnF-fyJlpi4cgmxcJcgQbo89-3TALFmudmxiPpXSp34ue2Nc8mMMzVERf00UKTawophGzNenRoL1M74agGVoQJYwvhIxTOxaP1alNK_tSqU5BESJUW7Th-s1HnxNw6uXiI6ncC2-V9YBi-sPPWvePU6_BKDBzVuCaOkMj5iBH37N6j1Ya0k6ZRyYYe4RirtakCleP6NfjnBYSTQrEo7K9bXgL-bmYCM?testcase_id=5221177988743168


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mummare...@chromium.org, Mar 10 2017

Cc: drott@chromium.org kojii@chromium.org
Components: Blink>Fonts
Labels: Test-Predator-Wrong M-59

Could someone please take a look?
Thank you

Comment 2 by e...@chromium.org, Mar 13 2017

Status: WontFix (was: Untriaged)

Asserts on invalid input, sounds like correct behavior to me.

Project Member

Comment 3 by ClusterFuzz, May 4 2017

ClusterFuzz has detected this issue as fixed in range 468644:469228.

Detailed report: https://clusterfuzz.com/testcase?key=5221177988743168

Fuzzer: libfuzzer_harfbuzz_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  i <= out_len + (len - idx)
  hb_buffer_t::move_to
  OT::apply_lookup
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=455091:455226
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=468644:469228

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5221177988743168


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 699410 link

Issue metadata

i <= out_len + (len - idx)

Issue description

Comment 1 by mummare...@chromium.org, Mar 10 2017

Comment 1 Deleted

Comment 2 by e...@chromium.org, Mar 13 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, May 4 2017

Comment 3 Deleted

Sign in to add a comment