Issue 714432 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	ljusten@chromium.org
Closed:	May 2017
Cc:	tnagel@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Windows , Chrome
Pri:	2
Type:	Bug

Fix preg parser crash found in clusterfuzz

Project Member Reported by ljusten@chromium.org, Apr 23 2017

Issue description

https://clusterfuzz.com/v2/fuzzer-stats/by-day/2017-04-16/2017-04-22/fuzzer/libfuzzer_preg_parser_fuzzer/job/libfuzzer_chrome_asan_debug?noredirect=1

https://clusterfuzz.com/gcsviewer?path=%2Fclusterfuzz-libfuzzer-logs%2Flibfuzzer_preg_parser_fuzzer%2Flibfuzzer_chrome_asan_debug%2F2017-04-19%2F13%3A45%3A45%3A712284.txt

Project Member

Comment 1 by bugdroid1@chromium.org, May 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee7474ea14ebc2764e277fdf03557851c1976038

commit ee7474ea14ebc2764e277fdf03557851c1976038
Author: ljusten <ljusten@chromium.org>
Date: Tue May 02 17:51:03 2017

Fix fuzzer crash for preg_parser

Preg files with strings containing valid code points, but invalid
characters (e.g. 65535) triggered a DCHECK because base::UTF16ToUTF8
(called from DecodePRegStringValue) accepts invalid characters, but
base::IsStringUTF8 (DCHECK'ed in base::Value) does not. This CL
rejects these invalid strings before putting them into base::Values.
The crash was found in a libfuzzer test.

BUG= 714432 
TEST=Added and checked test case to verify fix.

Review-Url: https://codereview.chromium.org/2852393002
Cr-Commit-Position: refs/heads/master@{#468704}

[add] https://crrev.com/ee7474ea14ebc2764e277fdf03557851c1976038/chrome/test/data/policy/gpo/fuzzer_corpus/invalid_encoding.pol
[add] https://crrev.com/ee7474ea14ebc2764e277fdf03557851c1976038/chrome/test/data/policy/gpo/invalid_encoding/registry.pol
[rename] https://crrev.com/ee7474ea14ebc2764e277fdf03557851c1976038/chrome/test/data/policy/gpo/parser_test/registry.pol
[modify] https://crrev.com/ee7474ea14ebc2764e277fdf03557851c1976038/components/policy/core/common/preg_parser.cc
[modify] https://crrev.com/ee7474ea14ebc2764e277fdf03557851c1976038/components/policy/core/common/preg_parser_unittest.cc

Comment 2 by ljusten@chromium.org, May 8 2017

Status: Fixed (was: Assigned)

Verified crashes stopped:
https://clusterfuzz.com/v2/fuzzer-stats/by-day/2017-05-01/2099-10-07/fuzzer/libfuzzer_preg_parser_fuzzer/job/libfuzzer_chrome_asan_debug?noredirect=1

►

Issue 714432 link

Issue metadata

Fix preg parser crash found in clusterfuzz

Issue description

Comment 1 by bugdroid1@chromium.org, May 2 2017

Comment 1 Deleted

Comment 2 by ljusten@chromium.org, May 8 2017

Comment 2 Deleted

Sign in to add a comment