Issue metadata
Sign in to add a comment
|
Negative-size-param in sfntly::MemoryByteArray::InternalGet |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5699953470210048 Fuzzer: libfuzzer_sfntly_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: sfntly::MemoryByteArray::InternalGet sfntly::NameTable::Name HasName Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=417024:417277 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97IJOVUCrvt81clqFcvuY1GkbitQ1tH3JLkW6cgUexlmk7BllHAWuysWXH9d2xvl67SU4AJy34ym9tCNjIyWus5e3HHx5VHDszuDcOEwtZHI3EbgDUWIDe3sK1ryiu_HohkNgmrFrPtEckQRy1LOLzjohr-40iqgy9vh1jus3KtncxpQGoIYLTt8T3nR7evv_P1UAZPvmcA4V0LcJSIg24T5y2RYB5Rj3kyBEfA5rgi4UAlw-E89TgX4rreQqiFgEvocd7H7GigpxoFb_EcgFuE3cu6k-g1i3aC7KF1Mr3NAZdVxttwntweweQOYiilhoIZjdHt_seUqiKkxqI0oQDH044YTkLY94dhhdCvzaCKPxubNQY?testcase_id=5699953470210048 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Apr 13 2017
,
Apr 13 2017
Per the regression range, the likely culprit appears to be this DEPS roll of sfntly: https://codereview.chromium.org/2316303003 I'm a little confused by the fact that that's from Sept 2016 though. Maybe it's a new fuzzer. thestig -- Can you take a look?
,
Apr 13 2017
I'll try to put together a pull request for this and bug 708426 then.
,
Apr 13 2017
,
Apr 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8fe3548c495a97473cd5490c33d52e5ff13925a1 commit 8fe3548c495a97473cd5490c33d52e5ff13925a1 Author: thestig <thestig@chromium.org> Date: Fri Apr 14 04:46:31 2017 Roll DEPS for sfntly 04740d2..f033f85 f033f85 Merge pull request #78 from leizleiz/boundschecks 350164d ByteArray::Get() should not accept negative lengths. 4ca4ad0 Validate headers before constructing them. BUG= 708426 , 711068 TBR=behdad@chromium.org,jshin@chromium.org Review-Url: https://codereview.chromium.org/2816153002 Cr-Commit-Position: refs/heads/master@{#464678} [modify] https://crrev.com/8fe3548c495a97473cd5490c33d52e5ff13925a1/DEPS
,
Apr 14 2017
ClusterFuzz has detected this issue as fixed in range 464674:464681. Detailed report: https://clusterfuzz.com/testcase?key=5699953470210048 Fuzzer: libfuzzer_sfntly_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: sfntly::MemoryByteArray::InternalGet sfntly::NameTable::Name HasName Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=417024:417277 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=464674:464681 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97IJOVUCrvt81clqFcvuY1GkbitQ1tH3JLkW6cgUexlmk7BllHAWuysWXH9d2xvl67SU4AJy34ym9tCNjIyWus5e3HHx5VHDszuDcOEwtZHI3EbgDUWIDe3sK1ryiu_HohkNgmrFrPtEckQRy1LOLzjohr-40iqgy9vh1jus3KtncxpQGoIYLTt8T3nR7evv_P1UAZPvmcA4V0LcJSIg24T5y2RYB5Rj3kyBEfA5rgi4UAlw-E89TgX4rreQqiFgEvocd7H7GigpxoFb_EcgFuE3cu6k-g1i3aC7KF1Mr3NAZdVxttwntweweQOYiilhoIZjdHt_seUqiKkxqI0oQDH044YTkLY94dhhdCvzaCKPxubNQY?testcase_id=5699953470210048 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 14 2017
ClusterFuzz testcase 5699953470210048 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 14 2017
,
Jul 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Apr 13 2017