Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in mojo::edk::Core::CreateDataPipe |
||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4834341711773696 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: mojo::edk::Core::CreateDataPipe blink::Mojo::createDataPipe blink::V8Mojo::createDataPipeMethodCallback Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=500110:500145 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4834341711773696 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/58d5661333d5165cd813774459aa59373496c814 commit 58d5661333d5165cd813774459aa59373496c814 Author: Ken Rockot <rockot@chromium.org> Date: Fri Sep 15 23:19:19 2017 Stop uninit'd value usage in Mojo.createDataPipe Prevents the JS Mojo.createDataPipe API from allowing calls with missing capacityNumBytes or elementNumBytes options to propagate down to the native API, where they will result in use of uninitialized values. Also adds Mojo owners to WebKit/Source/core/mojo BUG= 765647 Change-Id: Icfbebe1e02d165911d1341f93fa0c9d94e3fdf62 Reviewed-on: https://chromium-review.googlesource.com/669315 Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Ken Rockot <rockot@chromium.org> Cr-Commit-Position: refs/heads/master@{#502433} [modify] https://crrev.com/58d5661333d5165cd813774459aa59373496c814/third_party/WebKit/LayoutTests/mojo/data-pipe.html [modify] https://crrev.com/58d5661333d5165cd813774459aa59373496c814/third_party/WebKit/Source/core/mojo/Mojo.cpp
,
Sep 16 2017
ClusterFuzz has detected this issue as fixed in range 502419:502457. Detailed report: https://clusterfuzz.com/testcase?key=4834341711773696 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: mojo::edk::Core::CreateDataPipe blink::Mojo::createDataPipe blink::V8Mojo::createDataPipeMethodCallback Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=500110:500145 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=502419:502457 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4834341711773696 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 16 2017
ClusterFuzz testcase 4834341711773696 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 16 2017
,
Dec 23 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by mea...@chromium.org
, Sep 15 2017Status: Assigned (was: Untriaged)