Regression range points to e8c9649e2570c7e278e70a6584738a3c3f828b2b.

 Issue 748072  has been merged into this issue.

Mini repro:

var a = 'a'.repeat(1 << 28);
JSON.stringify(a);

There is an overflow in a calculation involving the string length in src/json-stringifier.cc:642

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8315422762131921022c63e80179d7df828822fb

commit 8315422762131921022c63e80179d7df828822fb
Author: Peter Marshall <petermarshall@chromium.org>
Date: Wed Jul 26 11:40:56 2017

[runtime] Check for overflow when serializing Strings for JSON.

Previously we would shift the length of the string by three, which
could overflow with the new larger string length limit. Now we check
that the length will fit without extra allocation before and after
the shift, because really large strings will never fit, and will
always go to the Checked case.

Bug:  chromium:748069 ,  v8:6148 
Change-Id: I41cac14b0fde6c5e8ca92305a052cbb743111554
Reviewed-on: https://chromium-review.googlesource.com/584611
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46896}
[modify] https://crrev.com/8315422762131921022c63e80179d7df828822fb/src/json-stringifier.cc
[modify] https://crrev.com/8315422762131921022c63e80179d7df828822fb/src/string-builder.h
[add] https://crrev.com/8315422762131921022c63e80179d7df828822fb/test/mjsunit/regress/regress-748069.js

URGENT - PTAL.
Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you!

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

Looks like the regression range is in M62, changing milestone.

ClusterFuzz testcase 6210267540357120 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Yes, this issue is only in relevant for M62, now fixed

ClusterFuzz has detected this issue as fixed in range 46895:46896.

Detailed report: https://clusterfuzz.com/testcase?key=5963309538082816

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x7f0cf1880000
Crash State:
  Append
  void v8::internal::JsonStringifier::SerializeStringUnchecked_<unsigned char, uns
  void v8::internal::JsonStringifier::SerializeString_<unsigned char, unsigned cha
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 46837:46838
Fixed: V8: 46895:46896

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5963309538082816


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is already in M62.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot