New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 790944 link

Starred by 1 user
Status: Fixed
Owner:
schenney@chromium.org
Closed: Mar 2018
Cc:
mscherer@google.com
kcc@chromium.org
japhet@chromium.org
js...@chromium.org
kkaluri@chromium.org
jcivelli@google.com
mmoroz@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

libxml flushes the buffer when it should not: leading to Undefined-shift in ucnv_UTF8FromUTF8

Project Member Reported by ClusterFuzz, Dec 1 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6424257411416064

Fuzzer: libFuzzer_xml_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ucnv_UTF8FromUTF8
  ucnv_convertEx_60
  xmlUconvWrapper
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=519819:519862

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6424257411416064

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 1 2017

Components: Blink>XML
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 1 2017

Cc: jcivelli@google.com japhet@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Adding a SafeXMLParser to the data-decoder service. by jcivelli@google.com - https://chromium.googlesource.com/chromium/src/+/90a4cb1cd1afc7601d2b1a577d8e05523cc08a96

Merge XSLImportRule into XSLStyleSheet by japhet@chromium.org - https://chromium.googlesource.com/chromium/src/+/8b18c17e3e2d38a8ee6913f302b7a6ed20395e60

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Comment 3 by jcivelli@chromium.org, Dec 1 2017 

This is the fuzzer I added as part of my CL.

Comment 4 by jcivelli@chromium.org, Dec 1 2017

Cc: js...@chromium.org
Adding jshin@ since this is ICU related.

Comment 5 by kkaluri@chromium.org, Dec 12 2017 

jshin@ Could you please look into this issue

Comment 6 by kkaluri@chromium.org, Dec 19 2017

Cc: -js...@chromium.org kkaluri@chromium.org
Labels: M-64 Test-Predator-Wrong-CLs
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “ucnv_u8.cpp” assigning to concern owner.
Suspecting Commit# https://chromium.googlesource.com/chromium/deps/icu.git/+/b31896655a701874d13e70cc24bca95e3e66a991

jshin@ -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.


Thank You.

Comment 7 by js...@chromium.org, Dec 19 2017 

Hmm.... So, we do use "ucnv_UTF8FromUTF8" in libxml. Last week, I cherry-picked an upstream fix for that function. Let me try a test case in this bug and see if it's fixed by the cherry-pick.

Comment 8 by js...@chromium.org, Dec 19 2017

Cc: aizatsky@chromium.org mmoroz@google.com kcc@chromium.org js...@chromium.org
 Issue 603496  has been merged into this issue.

Comment 9 by js...@chromium.org, Dec 20 2017 

Hmm....  bug 603496  has the top of the stack identical to this one (except for ICU version #), but I can't reproduce it in the ToT while I can reproduce this one. 
Maybe, it's not a dupe. 

Anyway, the ubsan complained about this: 

third_party/icu/source/common/ucnv_u8.cpp:784:29: runtime error: left shift of negative value -175623977

line 784: c=(c<<6)+b;


|c| is of type UChar32 (unsigned int32). I wonder why ubsan thinks that it is -175623977.  BTW, its absolute value is much smaller than 2^31 (let alone 2^32).

Comment 10 by mmoroz@chromium.org, Dec 20 2017

Cc: -aizatsky@chromium.org
As I read the code:

typedef int32_t UChar32;

from https://cs.chromium.org/chromium/src/third_party/icu/source/common/unicode/umachine.h?sq=package:chromium&l=396

Comment 11 by js...@chromium.org, Dec 21 2017 

> typedef int32_t UChar32;

You're absolutely right. How did I forget that? .....

Comment 12 by js...@chromium.org, Dec 21 2017

Cc: mscherer@google.com
The test case this sequence at the end:

f3 a0 81 81 97 99

The first 4 bytes stand for U+E0041 and the last two bytes are invalid. 

Let me try to reproduce the bug outside libxml with the above sequence.

Comment 13 by js...@chromium.org, Dec 21 2017

Cc: -js...@chromium.org joelhockey@chromium.org

Comment 14 by js...@chromium.org, Jan 2 2018

Cc: -joelhockey@chromium.org js...@chromium.org
Owner: joelhockey@chromium.org
Markus and Joel had an offline conversation about libxml's use of ICU converter. There was a similar bug ( bug 722420 ) which was due to libxml's misuse of ICU converter API. That one was fixed by fixing libxml. 

Joel wrote:

-------------
I can reproduce this.  I'm pretty sure the bug is with libxml setting flush when it shouldn't just like the last fuzzer bug.

I'm pretty sure it is this line setting flush to true when it should be false.

https://cs.chromium.org/chromium/src/third_party/libxml/src/xmlIO.c?l=3160&rcl=493a404fb9a975817a8c8962225380219e82ae40

I'm trying to create a testcase and fix for libxml but it is taking a little while. 
-----------------

I'm giving this to him.

Comment 15 by js...@chromium.org, Jan 2 2018 

I confirmed Joel's hunch. Changing the line in comment 14 made UBSan happy. libxml emitted an encoding error on the invalid UTF-8 sequence in question.

Comment 16 by js...@chromium.org, Jan 2 2018

Summary: libxml flushes the buffer when it should not: leading to Undefined-shift in ucnv_UTF8FromUTF8 (was: Undefined-shift in ucnv_UTF8FromUTF8)

Comment 17 by joelhockey@chromium.org, Jan 3 2018 

I have sent a patch to libxml.  Once the patch is accepted upstream, we can pull their changes.  The email thread should be visible at
https://mail.gnome.org/archives/xml/2018-January/thread.html

Comment 18 by js...@chromium.org, Jan 31 2018 

In the meantime, the ICU upstream has a patch to harden ICU converters. 

http://bugs.icu-project.org/trac/ticket/13560 . 

I'll cherry-pick it.
Project Member

Comment 19 by bugdroid1@chromium.org, Feb 2 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6

commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6
Author: Joel Hockey <joelhockey@chromium.org>
Date: Fri Feb 02 04:42:45 2018

Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c

This fixes a number of bugs found on clusterfuzz.

Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
Bug:  790944 
Bug:  793715 
Bug:  796804 
Bug:  799707 
Reviewed-on: https://chromium-review.googlesource.com/897220
Commit-Queue: Joel Hockey <joelhockey@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533953}
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/README.chromium
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/configure.ac
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/parser.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/xmlIO.c
Project Member

Comment 20 by ClusterFuzz, Feb 2 2018 

ClusterFuzz has detected this issue as fixed in range 533948:533961.

Detailed report: https://clusterfuzz.com/testcase?key=6424257411416064

Fuzzer: libFuzzer_xml_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ucnv_UTF8FromUTF8
  ucnv_convertEx_60
  xmlUconvWrapper
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=519819:519862
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=533948:533961

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6424257411416064

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 21 by ClusterFuzz, Feb 2 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6424257411416064 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 22 by bugdroid1@chromium.org, Feb 12 2018

Labels: merge-merged-3325
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9dc050f2480deaf9882ca95a6f214cc552ef9339

commit 9dc050f2480deaf9882ca95a6f214cc552ef9339
Author: Joel Hockey <joelhockey@chromium.org>
Date: Mon Feb 12 22:46:35 2018

Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c

This fixes a number of bugs found on clusterfuzz.

Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
Bug:  790944 
Bug:  793715 
Bug:  796804 
Bug:  799707 
Reviewed-on: https://chromium-review.googlesource.com/897220
Commit-Queue: Joel Hockey <joelhockey@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#533953}(cherry picked from commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6)
Reviewed-on: https://chromium-review.googlesource.com/914448
Reviewed-by: Jay Civelli <jcivelli@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#437}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/README.chromium
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/configure.ac
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/parser.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/xmlIO.c
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 16 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4be2115e0abf80619cbf702d0619520d0c4c868d

commit 4be2115e0abf80619cbf702d0619520d0c4c868d
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 18:30:55 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543766}
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/README.chromium
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/configure.ac
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parser.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/431c6dbf0a42d0c31c7dccd6553c6c496f1042a0/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/xmlIO.c
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 16 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0f92ca1175c89aec344326778c755ba57ef4d314

commit 0f92ca1175c89aec344326778c755ba57ef4d314
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 18:50:19 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

M-65 stable merge.

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/967021
Cr-Commit-Position: refs/branch-heads/3325@{#714}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/README.chromium
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/configure.ac
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parser.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/483290671a61fdd75600a7b7f5e4a940ba814e9b/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/xmlIO.c
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 16 2018

Labels: merge-merged-3359
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/54a1c705833b375b124b014159dcadda02a80e9b

commit 54a1c705833b375b124b014159dcadda02a80e9b
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 19:00:42 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

M-66 merge.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/966962
Cr-Commit-Position: refs/branch-heads/3359@{#288}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/README.chromium
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/configure.ac
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parser.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/11b924f8c4a7c84bfb46e8df78e7ef8d330dc907/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/xmlIO.c
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 16 2018

Labels: merge-merged-3372
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8901956103e21b8c3461b779e99cd5d7f50f3ad

commit d8901956103e21b8c3461b779e99cd5d7f50f3ad
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 19:19:12 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Canary build branch merge.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/966690
Cr-Commit-Position: refs/branch-heads/3372@{#1}
Cr-Branched-From: ad7f48548867b059f459e13c53bb8e2e96027381-refs/heads/master@{#543592}
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/README.chromium
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/configure.ac
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parser.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/ad7f48548867b059f459e13c53bb8e2e96027381/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/xmlIO.c

Comment 27 by schenney@chromium.org, Mar 16 2018

Owner: schenney@chromium.org
Status: Assigned (was: Verified)
This bug needs to be re-opened since we reverted the libxml roll. I will look to re-landing each fix separately.

Comment 28 by schenney@chromium.org, Mar 20 2018

Status: Started (was: Assigned)
This one does not reproduce on ToT even with the libxml roll reverted, using the clusterfuzz reproduction tools.
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380

commit f01ade19f2ee3e7037bb57acb46e3bd6d45a0380
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 23 15:36:43 2018

Roll libxml to 7a1bd7f6497ac33a9023d556f6f47a48f01deac0

R=dcheng@chromium.org

Bug:  790944 , 820163 , 793715 , 796804 , 799707 , 823345 
Change-Id: I6daa6aedd8ccff792b99c228d85800dbd2dd3ec2
Reviewed-on: https://chromium-review.googlesource.com/973467
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545458}
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/README.chromium
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/chromium/roll.py
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/config.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/mac/config.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/aclocal.m4
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/configure.ac
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/libxml2.syms
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/parser.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/testapi.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/xpath.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/win32/include/libxml/xmlversion.h

Comment 31 by schenney@chromium.org, Mar 23 2018

Status: Fixed (was: Started)
Project Member

Comment 32 by bugdroid1@chromium.org, Mar 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0b7754a48adf46c2d9a352085754d46a404ba1c

commit e0b7754a48adf46c2d9a352085754d46a404ba1c
Author: Stephen Chenney <schenney@chromium.org>
Date: Tue Mar 27 18:06:12 2018

Roll libxml to 7a1bd7f6497ac33a9023d556f6f47a48f01deac0

M-66 Cherry-pick

TBR=​dcheng@chromium.org

Bug:  790944 , 820163 , 793715 , 796804 , 799707 , 823345 
Change-Id: I6daa6aedd8ccff792b99c228d85800dbd2dd3ec2
Reviewed-on: https://chromium-review.googlesource.com/973467
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#545458}(cherry picked from commit f01ade19f2ee3e7037bb57acb46e3bd6d45a0380)
Reviewed-on: https://chromium-review.googlesource.com/981755
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#464}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/README.chromium
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/chromium/roll.py
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/config.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/mac/config.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/aclocal.m4
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/configure.ac
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/libxml2.syms
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/parser.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/testapi.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/xpath.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/win32/include/libxml/xmlversion.h

Sign in to add a comment