Null-dereference READ in blink::ParseKeywordValue |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5502722794323968 Fuzzer: libFuzzer_css_parser_fast_paths_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ParseKeywordValue blink::CSSParserFastPaths::MaybeParseValue Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=508229:508247 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5502722794323968 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 12 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4491ba9d10af731964683f577822e7f29c339bf3 (Add fuzzing target for CSSParserFastPaths.cpp.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 12 2017
,
Oct 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5def70bc87542c1cc4922a48cfdae9894a79796a commit 5def70bc87542c1cc4922a48cfdae9894a79796a Author: Darren Shen <shend@chromium.org> Date: Thu Oct 12 23:44:26 2017 Fix preconditions for css_parser_fast_paths_fuzzer. There's a bug in generating the CSSPropertyID value from the hash of the data string. We currently do (hash % numCSSPropertyIDs), which can generate unresolved properties, which are not allowed in the fuzz target. This patch tries to only generate valid (resolved) CSSPropertyIDs. Bug: 774113 , 774060 , 774020 , 774015 Change-Id: Iaa5655f7399cd0d1381197e7b4026d426b3cf456 Reviewed-on: https://chromium-review.googlesource.com/717276 Commit-Queue: Darren Shen <shend@chromium.org> Reviewed-by: nainar <nainar@chromium.org> Cr-Commit-Position: refs/heads/master@{#508543} [modify] https://crrev.com/5def70bc87542c1cc4922a48cfdae9894a79796a/third_party/WebKit/Source/core/css/parser/CSSParserFastPathsFuzzer.cpp
,
Oct 13 2017
ClusterFuzz has detected this issue as fixed in range 508542:508576. Detailed report: https://clusterfuzz.com/testcase?key=5502722794323968 Fuzzer: libFuzzer_css_parser_fast_paths_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ParseKeywordValue blink::CSSParserFastPaths::MaybeParseValue Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=508229:508247 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=508542:508576 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5502722794323968 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 13 2017
ClusterFuzz testcase 5502722794323968 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Nov 7 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Oct 12 2017Labels: Test-Predator-AutoComponents