Regression from https://chromium.googlesource.com/chromium/deps/icu.git/+/87232d8d763692d4b8303f0194472a82c829a6a9

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

An upstream bug to fix  bug 618021  (the same stack)  was fixed for ICU 58.1
http://bugs.icu-project.org/trac/ticket/12639   

Will try to come up with a reduction (starting with the one at  bug 618021 ). 

Should be fixed by
http://bugs.icu-project.org/trac/ticket/12333
http://bugs.icu-project.org/trac/changeset/40108

Did you integrate that yet?

Hmm..... Initially, I thought it's not a regression. It turned out that files touched by the upstream fix for  bug 618021  [1] had undergonet quite a lot of changes between ICU 58 and ICU 59. 

So,  bug 618021  is different from this one.  bug 618021  was fixed in ICU 58, but this one is 'new'. 

[1] http://bugs.icu-project.org/trac/changeset/39295

ClusterFuzz testcase 4851259505115136 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Thanks a lot, Markus. Your comment and mine crossed each other (didn't see yours when I wrote comment 6). 

>ClusterFuzz testcase 4851259505115136 is verified as fixed, so closing issue.

I don't know how. I've just reproduced this issue . :-)

Incorrectness in c#7 is due to https://bugs.chromium.org/p/chromium/issues/detail?id=618021#c38. Since the mapping is removed, it shouldn't happen.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/deps/icu.git/+/fd2abab88d42416678475a920bcb7efacb38f5f3

commit fd2abab88d42416678475a920bcb7efacb38f5f3
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue May 16 16:54:57 2017

Apply 3 upstream CLs beyond 59.1

   http://www.icu-project.org/trac/ticket/12333
   http://www.icu-project.org/trac/ticket/13189
   http://www.icu-project.org/trac/ticket/12635

   - patches/ucase_utf8.patch
   - patches/ucurr_locale.patch
   - patches/collator_range.patch

Bug= chromium:722124 
TEST=See the test
TBR=inferno@chromium.org

Change-Id: I3e754734a1c1121c8059a386ca1b5d0f004adb79
Reviewed-on: https://chromium-review.googlesource.com/506592
Reviewed-by: Abhishek Arya <inferno@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>

[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/README.chromium
[add] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/patches/collator_range.patch
[add] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/patches/ucase_utf8.patch
[add] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/patches/ucurr_locale.patch
[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/source/common/ucase.cpp
[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/source/common/ucasemap.cpp
[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/source/common/ucurr.cpp
[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/source/i18n/collationweights.cpp
[modify] https://crrev.com/fd2abab88d42416678475a920bcb7efacb38f5f3/source/i18n/dcfmtsym.cpp

With https://chromium-review.googlesource.com/c/506592/ , I confirmed that this issue is fixed. Without it, I can reliably reproduce the bug. 

Thanks, inferno@, for comment #9. 

I'm now rolling ICU to fd2abab88d42416678475a920bcb7efacb38f5f3

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0e01770345dfe1c6e5fc18aba42420195ef77b2b

commit 0e01770345dfe1c6e5fc18aba42420195ef77b2b
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed May 17 08:34:34 2017

Roll ICU to fd2abab8 from 87232d8d

There are two changes:

 - cherry-pick 3 upstream changes past 59.1 release.
 - v8 support for PPC64 and S390 (Big and Little endians)

 http://chromium.googlesource.com/chromium/deps/icu.git/+log/87232d8..fd2abab

BUG= chromium:722124 
TEST=See the bug
TBR=inferno@chromium.org

Change-Id: I2f3b86febb460f21769dae1015e3da4482ac6986
Reviewed-on: https://chromium-review.googlesource.com/506440
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#472385}
[modify] https://crrev.com/0e01770345dfe1c6e5fc18aba42420195ef77b2b/DEPS

ClusterFuzz has detected this issue as fixed in range 472373:472407.

Detailed report: https://clusterfuzz.com/testcase?key=5428569357680640

Fuzzer: libfuzzer_icu_ucasemap_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  u_strToUTF8WithSub_59
  u_strToUTF8_59
  appendResult
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=471616:471627
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=472373:472407

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5428569357680640


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot