New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 700750 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in xmlDumpElementContent

Project Member Reported by ClusterFuzz, Mar 12 2017

Issue description

Cc: mmoroz@chromium.org kcc@chromium.org dominicc@chromium.org
Components: Blink>XML
Labels: Test-Predator-Wrong M-59
Could someone please take a look?.
Thank you.

Comment 2 by mmoroz@chromium.org, Mar 14 2017

Cc: -dominicc@chromium.org
Owner: dominicc@chromium.org
Status: Assigned (was: Untriaged)
Cc: och...@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 6 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52bfd9b23ead461185b20736e216a73cad1864fe

commit 52bfd9b23ead461185b20736e216a73cad1864fe
Author: dominicc <dominicc@chromium.org>
Date: Thu Apr 06 09:49:56 2017

Improve XML serialization, URI parsing, and XPath node set processing.

BUG=705445, 700750 ,708433,708434

Review-Url: https://codereview.chromium.org/2797923004
Cr-Commit-Position: refs/heads/master@{#462404}

[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/README.chromium
[add] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/chromium/libxml2-2.9.4-security-CVE-2017-7375-xmlParsePEReference-xxe.patch
[add] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/chromium/libxml2-2.9.4-security-CVE-2017-7376-nanohttp-out-of-bounds-write.patch
[add] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/chromium/libxml2-2.9.4-security-xpath-nodetab-uaf.patch
[add] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/chromium/libxml2-2.9.4-xmlDumpElementContent-null-deref.patch
[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/chromium/roll.py
[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/src/parser.c
[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/src/uri.c
[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/src/valid.c
[modify] https://crrev.com/52bfd9b23ead461185b20736e216a73cad1864fe/third_party/libxml/src/xpath.c

Status: Fixed (was: Started)
This should be fixed by the contributed patch; ClusterFuzz, do your thing.
Project Member

Comment 6 by ClusterFuzz, Apr 6 2017

Labels: OS-Linux
Project Member

Comment 7 by ClusterFuzz, Apr 7 2017

ClusterFuzz has detected this issue as fixed in range 462400:462410.

Detailed report: https://clusterfuzz.com/testcase?key=6205363931316224

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  xmlDumpElementContent
  xmlDumpElementDecl
  xmlBufDumpElementDecl
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=450705:450711
Fixed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=462400:462410

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv940AMh8W3V0_dt1rdmyE4tHV8UuloX0WvYoVBQJ3rCPqpQr7sDI0mZvEbJI_bl5BgmcewUq2aN-MNO3vFmlzQ-gg-yL6p8m5Jd0vjnliLnnpptKuqQe73Ynbl9lYrDbWo2HGHJKU4M1su_5mEWYMx3ClRjqpnmIh_rFjNWD38n12pDJCpXh1t0uEYP06tvd6ERhG50kk7MJf2-RfaYczCzz9n1t9aBALUcTGFPPNjqR07u-udBz3UGEbUTPFKMuNSGPA5NVbFyBwfdArwDhG88FDdcKIzIO9zAkkkLP1pn7b-pwLpWS2WL3nCNwAa4qiaX7pXUay5_JZbWGQDKcFbse813Me95yzuinJZrIu_SFx6-XztWDa84EoemYUDef-JD5yovbJt293qrzxYLUWhCR2fuxww?testcase_id=6205363931316224


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by mmoroz@google.com, Apr 7 2017

As you requested, Dominic :) Thanks for the fix!

Sign in to add a comment