Null-dereference READ in blink::SecurityOrigin::IsUnique |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6189165975961600 Fuzzer: libFuzzer_feature_policy_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000034 Crash State: blink::SecurityOrigin::IsUnique blink::SecurityOrigin::ToUrlOrigin Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=514325:514357 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6189165975961600 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Nov 7 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2e71399980fa36ede2925e9e13bed869d8f9312c (Feature Policy Onion Soup (1)). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 7 2017
,
Nov 7 2017
bug being fixed in https://chromium-review.googlesource.com/c/chromium/src/+/756865
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3bc820ae7732bd0580a0e74aad8e04a1b2be0467 commit 3bc820ae7732bd0580a0e74aad8e04a1b2be0467 Author: Luna Lu <loonybear@chromium.org> Date: Wed Nov 08 20:54:30 2017 Bug fix: when parsing fp header, 'src' should be disallowed and treated as a bad origin This also fix the bug introduced by recent change in https://chromium.googlesource.com/chromium/src/+/3e6a1e15dce9d46a5661896a17e9e4fb3ba99d2d/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp#90 Bug: 782202 Change-Id: I9ba287c724e3c5d9d67981e0dc6d4d7c35e33615 Reviewed-on: https://chromium-review.googlesource.com/756865 Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Dirk Pranke <dpranke@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Commit-Queue: Luna Lu <loonybear@chromium.org> Cr-Commit-Position: refs/heads/master@{#514933} [add] https://crrev.com/3bc820ae7732bd0580a0e74aad8e04a1b2be0467/testing/libfuzzer/fuzzers/feature_policy_corpus/16 [modify] https://crrev.com/3bc820ae7732bd0580a0e74aad8e04a1b2be0467/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp
,
Nov 8 2017
,
Nov 9 2017
ClusterFuzz has detected this issue as fixed in range 514923:514962. Detailed report: https://clusterfuzz.com/testcase?key=6189165975961600 Fuzzer: libFuzzer_feature_policy_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000034 Crash State: blink::SecurityOrigin::IsUnique blink::SecurityOrigin::ToUrlOrigin Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=514325:514357 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=514923:514962 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6189165975961600 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 9 2017
ClusterFuzz testcase 6189165975961600 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Nov 7 2017Labels: Test-Predator-AutoComponents