New issue
Advanced search Search tips

Issue 772585 link

Starred by 2 users
Status: WontFix
Owner:
hbos@chromium.org
Closed: Mar 2018
Cc:
kkaluri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::V8RTCCertificate::expiresAttributeGetterCallback

Project Member Reported by ClusterFuzz, Oct 7 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4538833281744896

Fuzzer: inferno_twister
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  blink::V8RTCCertificate::expiresAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  v8::internal::MaybeHandle<v8::internal::Object> v8::internal::HandleApiCallHelpe
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=465235:465262

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4538833281744896

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Oct 9 2017

Components: Blink>JavaScript
Labels: M-62 Test-Predator-Wrong

Comment 2 by clemensh@chromium.org, Oct 13 2017

Components: -Blink>JavaScript
According to the stack trace, this is not V8 related.

Comment 3 by kkaluri@chromium.org, Oct 13 2017

Cc: kkaluri@chromium.org
Components: Blink
Labels: CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.

Could someone from blink team would look into the issue, assign it to the concern owner.


Thank You.

Comment 4 by dtapu...@chromium.org, Oct 13 2017

Components: -Blink Blink>Bindings

Comment 5 by adithyas@chromium.org, Oct 13 2017

Components: -Blink>Bindings Blink>WebRTC

Comment 6 by guidou@chromium.org, Oct 16 2017

Components: -Blink>WebRTC Blink>WebRTC>PeerConnection
Owner: hbos@chromium.org
Status: Assigned (was: Untriaged)
hbos@: This seems related to RTCCertificates. Can you take a look?

Comment 7 by hbos@chromium.org, Oct 16 2017

Labels: -Pri-1 Pri-3
Repro:

<script src=/resources/testharness.js></script>
<script>
  /*
   */
  promise_test(t =>
    RTCPeerConnection.generateCertificate({
      name: 'RSASSA-PKCS1-v1_5',
      modulusLength: 2048,
      publicExponent: new Uint8Array([1, 0, -8]),
      hash: 'SHA-256'
    }).then(cert => {
cert.expires
    }),
    'generateCertificate() with compulsary RSASSA-PKCS1-v1_5 parameters should succeed');
  /*
   */
</script>

The promise should be rejected by this nonsense publicExponent but instead it crashes.
Should be easy to fix, but not time critical.
Project Member

Comment 8 by ClusterFuzz, Dec 4 2017

Labels: OS-Linux
Project Member

Comment 9 by ClusterFuzz, Jan 19 2018

Components: Blink>JavaScript
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 10 by ClusterFuzz, Mar 9 2018

Status: WontFix (was: Assigned)
ClusterFuzz testcase 4538833281744896 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment