New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 719377 link

Starred by 2 users
Status: WontFix
Owner:
rsesek@chromium.org
Closed: Apr 2018
Cc:
brettw@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Blocking:
issue 698693



Sign in to add a comment

Logic error in base::internal::JSONParser

Project Member Reported by jdoerrie@chromium.org, May 8 2017 
In the declaration of base::internal::JSONParser there is a contract stating that the internal pos_ is equivalent to start_pos_ + index_:
https://codesearch.chromium.org/chromium/src/base/json/json_parser.h?l=230-232

However, this is not always true, which becomes evident when adding DCHECKs in appropriate places.

This mismatch can lead to reads of uninitialized memory, for example on input |JSONParser::Parse("\"\xC3\x83")|.

This bug is a follow up to  http://crbug.com/698693  and the discussion in http://crrev.com/2859513002.

Comment 1 by rsesek@chromium.org, May 8 2017

Labels: -Restrict-View-SecurityTeam
Details are already public, so there's no point in restricting.

Comment 2 by och...@chromium.org, May 8 2017

Labels: allpublic Security_Severity-Medium Security_Impact-Beta OS-All
setting flags based on the blocking bug.

Comment 3 by rsesek@chromium.org, May 8 2017

Labels: -Security_Severity-Medium Security_Severity-Low

Comment 4 by rsesek@chromium.org, Apr 10 2018

Status: WontFix (was: Assigned)
pos_ was removed in f3322d752f4eb6326b194a5f9f378f9fe9a422ee.

Sign in to add a comment