Issue 773423 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 772615
Owner:	hnakashima@chromium.org
Closed:	Oct 2017
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Chrome , Mac
Pri:	1
Type:	Bug-Security
Security_Severity-High allpublic

Security: Heap Overflow Vulnerability in Chrome

Reported by kushal89...@gmail.com, Oct 10 2017

Issue description

VULNERABILITY DETAILS

Heap Overflow Vulnerability triggered in Chrome.

PoC has been tested on latest Chrome Windows "asan" build namely build #507658 as of October 10 12:45PM PST. 

Build links have been shared in the Step 1 of the "Reproduction Case" section.


VERSION

The latest "ASAN" builds of Chrome, namely asan build 507658. 

Operating System: Windows.

REPRODUCTION CASE

1) Download Windows chrome "asan" build from https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-507658.zip?generation=1507652757642602&alt=media

2) Unzip the downloaded "asan" build.

3) Change directory to chrome binary location.

4) Run the chrome binary against the New_Heap_Overflow_PoC_Chrome.pdf testcase file using the --no-sandbox and --allow-file-access-from-files flags.

5) Check the crash details in the terminal window. 

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION

C:\Windows\system32>"C:\Users\kshah\Downloads\win32-release%2Fasan-coverage-win32-release-507658\asan-coverage-win32-release-507658\chrome.exe" --no-sandbox --allow-file-access-from-files C:\Users\kshah\Desktop\New_Heap_Overflow_PoC_Chrome.pdf
[4260:8376:1010/125154.078:ERROR:service_manager.cc(157)] Connection InterfaceProviderSpec prevented service: content_renderer from binding interface: blink::mojom::ReportingServiceProxy exposed by: content_browser
=================================================================
==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00e0ed7c at pc 0x1a225412 bp 0x0034b6fc sp 0x0034b6f0
READ of size 4 at 0x00e0ed7c thread T0
    #0 0x1a225411 in chrome_pdf::PDFiumEngine::TraverseBookmarks(void *,unsigned int) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2608:44
    #1 0x1a225066 in chrome_pdf::PDFiumEngine::TraverseBookmarks(void *,unsigned int) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2643:33

    #2 0x1a225066 in chrome_pdf::PDFiumEngine::TraverseBookmarks(void *,unsigned int) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2643:33

    #3 0x1a225066 in chrome_pdf::PDFiumEngine::TraverseBookmarks(void *,unsigned int) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2643:33

    #4 0x1a22450a in chrome_pdf::PDFiumEngine::GetBookmarks(void) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2587:28
    #5 0x1a25bedd in chrome_pdf::OutOfProcessInstance::DocumentLoadComplete(int) C:\b\c\b\win_asan_release_coverage\src\pdf\out_of_process_instance.cc:1471:37
    #6 0x1a20f9d7 in chrome_pdf::PDFiumEngine::FinishLoadingDocument(void) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:1275:14
    #7 0x1a228dc2 in chrome_pdf::PDFiumEngine::ContinueLoadingDocument(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > c
onst &) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2945:5
    #8 0x1a20e55a in chrome_pdf::PDFiumEngine::LoadDocument(void) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2859:5
    #9 0x1a26f691 in chrome_pdf::DocumentLoader::ReadComplete(void) C:\b\c\b\win_asan_release_coverage\src\pdf\document_loader.cc:390:1
    #10 0x1a26fd01 in chrome_pdf::DocumentLoader::DidRead(int) C:\b\c\b\win_asan_release_coverage\src\pdf\document_loader.cc:304:14
    #11 0x1a271513 in pp::CompletionCallbackFactory<class chrome_pdf::DocumentLoader,class pp::ThreadSafeThreadTraits>::CallbackData<class pp::CompletionCallbackFactory<class chrome_pdf::DocumentLoader,class pp::ThreadSafeThreadTraits>::Dispatcher0<void ( chrome_pdf::DocumentLoader::*)(int)> >::Thunk(void *,int) C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h:584
:15
    #12 0x1a2759a3 in chrome_pdf::URLLoaderWrapperImpl::DidRead(int) C:\b\c\b\win_asan_release_coverage\src\pdf\url_loader_wrapper_impl.cc:281:7
    #13 0x1a27ad77 in pp::CompletionCallbackFactory<class chrome_pdf::URLLoaderWrapperImpl,class pp::ThreadSafeThreadTraits>::CallbackData<class pp::CompletionCallbackFactory<class chrome_pdf::URLLoaderWrapperImpl,class pp::ThreadSafeThreadTraits>::Dispatcher0<void ( chrome_pdf::URLLoaderWrapperImpl::*)(int)> >::Thunk(void *,int) C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h:584:15
    #14 0x173a4c42 in ppapi::TrackedCallback::Run(int) C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\tracked_callback.cc:135:9
    #15 0x173a6657 in base::internal::Invoker<struct base::internal::BindState<void ( ppapi::TrackedCallback::*)(int),class scoped_refptr<class ppapi::TrackedCallback>,int>,void (void)>::Run(class base::internal::BindStateBase *) C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:331:48
    #16 0x173a675b in ppapi::internal::RunWhileLockedHelper<void (void)>::CallWhileLocked(class std::unique_ptr<class ppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > >) C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\proxy_lock.h:188
    #17 0x173a6a36 in ??$Invoke@V?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@?$FunctorTraits@P6AXV?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@ZX@internal@base@@SAXP6AXV?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@Z$$QAV34@@Z C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:149:12
    #18 0x173a6926 in base::internal::Invoker<struct base::internal::BindState<void (*)(class std::unique_ptr<class ppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > >),class base::internal::PassedWrapper<class std::unique_ptr<classppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > > > >,void (void)>::Run(class base::internal::BindStateBase *) C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:331:48
    #19 0x13cd8422 in base::debug::TaskAnnotator::RunTask(char const *,struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annotator.cc:55:3
    #20 0x13d5fc46 in base::internal::IncomingTaskQueue::RunTask(struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\incoming_task_queue.cc:147:19
    #21 0x13b8d442 in base::MessageLoop::RunTask(struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:406:25
    #22 0x13b8e6b5 in base::MessageLoop::DeferOrRunPendingTask(struct base::PendingTask) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:417:5
    #23 0x13b8f1d1 in base::MessageLoop::DoWork(void) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:524:13
    #24 0x13d67b14 in base::MessagePumpDefault::Run(class base::MessagePump::Delegate *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_default.cc:37:31
    #25 0x13b8c3e0 in base::MessageLoop::Run(void) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:346:10
    #26 0x13c57043 in base::RunLoop::Run(void) C:\b\c\b\win_asan_release_coverage\src\base\run_loop.cc:118:14
    #27 0x1356bf2b in content::PpapiPluginMain(struct content::MainFunctionParams const &) C:\b\c\b\win_asan_release_coverage\src\content\ppapi_plugin\ppapi_plugin_main.cc:157:19
    #28 0x13a36b69 in content::RunNamedProcessTypeMain(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,struct content::MainFunctionParams const &,class content::ContentMainDelegate *) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:424:14
    #29 0x13a38204 in content::ContentMainRunnerImpl::Run(void) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:704:12
    #30 0x13a50489 in service_manager::Main(struct service_manager::MainParams const &) C:\b\c\b\win_asan_release_coverage\src\services\service_manager\embedder\main.cc:469:29
    #31 0x13a36724 in content::ContentMain(struct content::ContentMainParams const &) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main.cc:19:10
    #32 0xf9912c6 in ChromeMain C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_main.cc:123:12
    #33 0x1369ac6 in MainDllLoader::Launch(struct HINSTANCE__ *,class base::TimeTicks) C:\b\c\b\win_asan_release_coverage\src\chrome\app\main_dll_loader_win.cc:199:12
    #34 0x1361d34 in main C:\b\c\b\win_asan_release_coverage\src\chrome\app\chrome_exe_main_win.cc:230:20
    #35 0x178b9d9 in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
    #36 0x76983369  (C:\Windows\syswow64\kernel32.dll+0x7dd73369)
    #37 0x77e19901  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901)
    #38 0x77e198d4  (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)
0x00e0ed7c is located 4 bytes to the left of 564-byte region [0x00e0ed80,0x00e0efb4)allocated by thread T0 here:
    #0 0x177aa8c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
    #1 0x1fbde239 in operator new(unsigned int) f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
    #2 0x1a244344 in ??$emplace_back@V?$unique_ptr@VPDFiumPage@chrome_pdf@@U?$default_delete@VPDFiumPage@chrome_pdf@@@std@@@std@@@?$vector@V?$unique_ptr@VPDFiumPage@chrome_pdf@@U?$default_delete@VPDFiumPage@chrome_pdf@@@std@@@std@@V?$allocator@V?$unique_ptr@VPDFiumPage@chrome_pdf@@U?$default_delete@VPDFiumPage@chrome_pdf@@@std@@@std@@@2@@std@@QAE?A?<decltype-auto>@@$$QAV?$unique_ptr@VPDFiumPage@chrome_pdf@@U?$default_delete@VPDFiumPage@chrome_pdf@@@std@@@1@@Z c:\b\c\win_toolchain\vs_files\9bc7ccbf9f4bd50d4a3bd185e8ca94ff1618de0b\vc\tools\msvc\14.11.25503\include\vector:951:40
    #3 0x1a20cd1b in chrome_pdf::PDFiumEngine::LoadPageInfo(bool) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:3005:24
    #4 0x1a229948 in chrome_pdf::PDFiumEngine::LoadPages(void) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:3039:5
    #5 0x1a228d8a in chrome_pdf::PDFiumEngine::ContinueLoadingDocument(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2942:3
    #6 0x1a20e55a in chrome_pdf::PDFiumEngine::LoadDocument(void) C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2859:5
    #7 0x1a26f691 in chrome_pdf::DocumentLoader::ReadComplete(void) C:\b\c\b\win_asan_release_coverage\src\pdf\document_loader.cc:390:1
    #8 0x1a26fd01 in chrome_pdf::DocumentLoader::DidRead(int) C:\b\c\b\win_asan_release_coverage\src\pdf\document_loader.cc:304:14
    #9 0x1a271513 in pp::CompletionCallbackFactory<class chrome_pdf::DocumentLoader,class pp::ThreadSafeThreadTraits>::CallbackData<class pp::CompletionCallbackFactory<class chrome_pdf::DocumentLoader,class pp::ThreadSafeThreadTraits>::Dispatcher0<void ( chrome_pdf::DocumentLoader::*)(int)> >::Thunk(void *,int) C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h:584:15
    #10 0x1a2759a3 in chrome_pdf::URLLoaderWrapperImpl::DidRead(int) C:\b\c\b\win_asan_release_coverage\src\pdf\url_loader_wrapper_impl.cc:281:7
    #11 0x1a27ad77 in pp::CompletionCallbackFactory<class chrome_pdf::URLLoaderWrapperImpl,class pp::ThreadSafeThreadTraits>::CallbackData<class pp::CompletionCallbackFactory<class chrome_pdf::URLLoaderWrapperImpl,class pp::ThreadSafeThreadTraits>::Dispatcher0<void ( chrome_pdf::URLLoaderWrapperImpl::*)(int)> >::Thunk(void *,int) C:\b\c\b\win_asan_release_coverage\src\ppapi\utility\completion_callback_factory.h:584:15
    #12 0x173a4c42 in ppapi::TrackedCallback::Run(int) C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\tracked_callback.cc:135:9
    #13 0x173a6657 in base::internal::Invoker<struct base::internal::BindState<void ( ppapi::TrackedCallback::*)(int),class scoped_refptr<class ppapi::TrackedCallback>,int>,void (void)>::Run(class base::internal::BindStateBase *) C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:331:48
    #14 0x173a675b in ppapi::internal::RunWhileLockedHelper<void (void)>::CallWhileLocked(class std::unique_ptr<class ppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > >) C:\b\c\b\win_asan_release_coverage\src\ppapi\shared_impl\proxy_lock.h:188
    #15 0x173a6a36 in ??$Invoke@V?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@?$FunctorTraits@P6AXV?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@ZX@internal@base@@SAXP6AXV?$unique_ptr@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@U?$default_delete@V?$RunWhileLockedHelper@$$A6AXXZ@internal@ppapi@@@std@@@std@@@Z$$QAV34@@Z C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:149:12
    #16 0x173a6926 in base::internal::Invoker<struct base::internal::BindState<void (*)(class std::unique_ptr<class ppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > >),class base::internal::PassedWrapper<class std::unique_ptr<classppapi::internal::RunWhileLockedHelper<void (void)>,struct std::default_delete<class ppapi::internal::RunWhileLockedHelper<void (void)> > > > >,void (void)>::Run(class base::internal::BindStateBase *) C:\b\c\b\win_asan_release_coverage\src\base\bind_internal.h:331:48
    #17 0x13cd8422 in base::debug::TaskAnnotator::RunTask(char const *,struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\debug\task_annotator.cc:55:3
    #18 0x13d5fc46 in base::internal::IncomingTaskQueue::RunTask(struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\incoming_task_queue.cc:147:19
    #19 0x13b8d442 in base::MessageLoop::RunTask(struct base::PendingTask *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:406:25
    #20 0x13b8e6b5 in base::MessageLoop::DeferOrRunPendingTask(struct base::PendingTask) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:417:5
    #21 0x13b8f1d1 in base::MessageLoop::DoWork(void) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:524:13
    #22 0x13d67b14 in base::MessagePumpDefault::Run(class base::MessagePump::Delegate *) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_pump_default.cc:37:31
    #23 0x13b8c3e0 in base::MessageLoop::Run(void) C:\b\c\b\win_asan_release_coverage\src\base\message_loop\message_loop.cc:346:10
    #24 0x13c57043 in base::RunLoop::Run(void) C:\b\c\b\win_asan_release_coverage\src\base\run_loop.cc:118:14
    #25 0x1356bf2b in content::PpapiPluginMain(struct content::MainFunctionParams const &) C:\b\c\b\win_asan_release_coverage\src\content\ppapi_plugin\ppapi_plugin_main.cc:157:19
    #26 0x13a36b69 in content::RunNamedProcessTypeMain(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > const &,struct content::MainFunctionParams const &,class content::ContentMainDelegate *) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:424:14
    #27 0x13a38204 in content::ContentMainRunnerImpl::Run(void) C:\b\c\b\win_asan_release_coverage\src\content\app\content_main_runner.cc:704:12
    #28 0x13a50489 in service_manager::Main(struct service_manager::MainParams const &) C:\b\c\b\win_asan_release_coverage\src\services\service_manager\embedder\main.cc:469:29

SUMMARY: AddressSanitizer: heap-buffer-overflow C:\b\c\b\win_asan_release_coverage\src\pdf\pdfium\pdfium_engine.cc:2608:44 in chrome_pdf::PDFiumEngine::TraverseBookmarks(void *,unsigned int)
Shadow bytes around the buggy address:
  0x301c1d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x301c1d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x301c1d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x301c1d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x301c1d90: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
=>0x301c1da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x301c1db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x301c1dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x301c1dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x301c1de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x301c1df0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8340==ABORTING

Comment 1 by kushal89...@gmail.com, Oct 10 2017

Sorry forgot to attach the PoC file, attaching it along with this comment.

Thanks,
~ Kushal.

Comment 2 by wfh@chromium.org, Oct 10 2017

Components: Internals>Plugins>PDF

Comment 3 by wfh@chromium.org, Oct 10 2017

Labels: Security_Severity-High OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Owner: hnakashima@chromium.org
Status: Assigned (was: Unconfirmed)

Thanks for the bug.

This repros fine for me without either of --no-sandbox and --allow-file-access-from-files - can you explain why you say these are needed?

Will let CF do the impact assessment.

Project Member

Comment 4 by ClusterFuzz, Oct 10 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4959481103646720.

Comment 5 by hnakashima@chromium.org, Oct 10 2017

Mergedinto: 772615
Status: Duplicate (was: Assigned)

Thanks for the report, but this was already reported by ClusterFuzz.

Comment 6 by kushal89...@gmail.com, Oct 10 2017

Hello wfh, hnakashima,

Good Afternoon.

Firstly, I would like to thank you for the quick response.

@wfh, the --no-sandbox and --allow-file-access-from-files flags were used by my fuzzer so I added them, and Yes it reproduces without the flags too as the latest Chrome Canary also crashes with this PoC.

@hnakashima, I would like to kindly request you to add me to  crbug.com/772615  for transparency, since several times the Duplicate labelling has been inaccurate in the past.

Thanks,
~ Kushal.

Comment 7 by kushal89...@gmail.com, Oct 12 2017

Hello hnakashima, 

Good Afternoon.

Firstly, I would like to thank you for being transparent and allowing me access to  crbug.com/772615 , I sincerely appreciate it.

Secondly, I noticed that after the fix was landed in range 507774:507842 for  crbug.com/772615 , I am no longer able to reproduce this Vulnerability in later ASAN builds. So, I would like to request you to close this case.

Thanks,
~Kushal.

Comment 8 by hnakashima@chromium.org, Oct 12 2017

Hi Kushal,

It's already been closed as a duplicate.

Thank you again for the report.

Project Member

Comment 9 by sheriffbot@chromium.org, Jan 18 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 773423 link

Issue metadata

Security: Heap Overflow Vulnerability in Chrome

Issue description

Comment 1 by kushal89...@gmail.com, Oct 10 2017

Comment 1 Deleted

Comment 2 by wfh@chromium.org, Oct 10 2017

Comment 2 Deleted

Comment 3 by wfh@chromium.org, Oct 10 2017

Comment 3 Deleted

Comment 4 by ClusterFuzz, Oct 10 2017

Comment 4 Deleted

Comment 5 by hnakashima@chromium.org, Oct 10 2017

Comment 5 Deleted

Comment 6 by kushal89...@gmail.com, Oct 10 2017

Comment 6 Deleted

Comment 7 by kushal89...@gmail.com, Oct 12 2017

Comment 7 Deleted

Comment 8 by hnakashima@chromium.org, Oct 12 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Jan 18 2018

Comment 9 Deleted

Sign in to add a comment