New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 734133 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ReportFatalErrorInMainThread

Project Member Reported by ClusterFuzz, Jun 16 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5502983608729600

Fuzzer: cdiehl_dharma
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x1e100080
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::Uint8ClampedArray::New
  blink::DOMTypedArray<WTF::Uint8ClampedArray,v8::Uint8ClampedArray>::Wrap
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5502983608729600


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by est...@chromium.org, Jun 16 2017

Components: Blink>JavaScript
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 17 2017

Labels: M-60
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 17 2017

Labels: Pri-1
Labels: -Type-Bug-Security -reward-topanel -Restrict-View-SecurityTeam -Security_Impact-Stable -Security_Severity-Medium Type-Bug
CHECK failure is not a security bug, we fixed the parsing logic on clusterfuzz side, sorry for noise.

Comment 5 by jochen@chromium.org, Jun 27 2017

Status: WontFix (was: Untriaged)
attempt to allocate an too large array
Project Member

Comment 6 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 5502983608729600 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment