Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Joel, as someone who recently fixed a fuzzer bug related to character conversion in libxml ( Issue 722420 ), would you know who might be a reasonable owner for this one?

The fuzzing of the XML's content broke the character set declaration such that it's not getting interpreted as UTF-8, resulting in decoding errors.

Within the regression range, only https://chromium.googlesource.com/chromium/src/+/90a4cb1cd1afc7601d2b1a577d8e05523cc08a96 touched libxml code, but this doesn't look like it's anywhere near the crashing codepath.

We previously had an issue here in  Issue 35979  where parsing was incorrectly continued after a context was closed, but that was fixed in WebKit six years ago. Similarly, https://bugzilla.gnome.org/show_bug.cgi?id=690202#c5 notes a crash on the same line as this fuzzer bug, but that bug was fixed in 2013. The CL that fixed the 2013 bug does note the root cause was "The pointers from the context input were not properly reset after that call which can do reallocations" which implies that this bad pattern (failure to update pointers after a reallocation) might be the same class of issue here.

I'm having trouble accessing clusterfuzz right now to see the detailed report.  I have been able to download the reproducer testcase, but it passes fine for me.

I'm currently using flags:

enable_nacl = false
is_asan = true
is_debug = true
is_ubsan_security = true
is_tsan = false
sanitizer_keep_symbols = true
symbol_level = 2
use_libfuzzer = true

I'll try and look again soon if clusterfuzz is back up.

This is regression from https://chromium.googlesource.com/chromium/src/+/90a4cb1cd1afc7601d2b1a577d8e05523cc08a96

I was looking at the wrong test.  I was running libxml_xml_read_memory_fuzzer rather than xml_parser_fuzzer.  I can reproduce this now, but unfortunately I don't have much libxml knowledge to offer help.  In the previous fuzzer bug that I looked at, I was able to debug the code and find the problem and a patch.  I sent the patch to the libxml mailing list https://mail.gnome.org/mailman/listinfo/xml.

Recreated and symbolized:

READ of size 1 at 0x6210000072eb thread T0
   #0 0x711c75 in xmlParseGetLasts /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:10993:40
    #1 0x6ec926 in xmlParseTryOrFinish /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:11174:5
    #2 0x6eb35e in xmlParseChunk /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:12263:13
    #3 0x7ae3c6 in xmlTextReaderPushData /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:913:12
    #4 0x7a8455 in xmlTextReaderRead /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:1310:12
    #5 0x4080dc in XmlReader::Read() /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/chromium/libxml_utils.h:52:24
    #6 0x402d14 in data_decoder::XmlParser::Parse(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::OnceCallback<void (std::__1::unique_ptr<base::Value, std::__1::default_delete<base::Value> >, base::Optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > const&)>) /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser.cc:121:21
    #7 0x3b08ed in LLVMFuzzerTestOneInput /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser_fuzzer.cc:34:14

0x6210000072eb is located 3563 bytes inside of 4096-byte region [0x621000006500,0x621000007500)
freed by thread T0 here:
   #0 0x381272 in __interceptor_realloc _asan_rtl_:3
    #1 0x636ad5 in xmlBufGrowInternal /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/buf.c:486:23
    #2 0x635fd0 in xmlBufGrow /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/buf.c:515:11
    #3 0x64d5c8 in xmlCharEncInput /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/encoding.c:2227:9
    #4 0x6eaf86 in xmlParseChunk /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:12236:13
    #5 0x7ade0e in xmlTextReaderPushData /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:881:12
    #6 0x7a8455 in xmlTextReaderRead /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:1310:12
    #7 0x4080dc in XmlReader::Read() /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/chromium/libxml_utils.h:52:24
    #8 0x402d14 in data_decoder::XmlParser::Parse(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::OnceCallback<void (std::__1::unique_ptr<base::Value, std::__1::default_delete<base::Value> >, base::Optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > const&)>) /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser.cc:121:21
    #9 0x3b08ed in LLVMFuzzerTestOneInput /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser_fuzzer.cc:34:14
    #10 0x3b4aa4 in main /usr/local/google/home/jcivelli/chromium/src/out/asan/../../testing/libfuzzer/unittest_main.cc:57:5
    #11 0x7f04bfc33f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287:0


previously allocated by thread T0 here:
    #0 0x380e73 in __interceptor_malloc _asan_rtl_:3
    #1 0x633072 in xmlBufCreate /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/buf.c:137:32
    #2 0x71dbe2 in xmlSwitchInputEncodingInt /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parserInternals.c:1209:34
    #3 0x71cee3 in xmlSwitchToEncodingInt /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parserInternals.c:1285:12
    #4 0x71e0e1 in xmlSwitchToEncoding /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parserInternals.c:1313:13
    #5 0x6bc770 in xmlParseEncodingDecl /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:10345:7
    #6 0x6e165b in xmlParseXMLDecl /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:10517:5
    #7 0x6ee73d in xmlParseTryOrFinish /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:11277:4
    #8 0x6eb35e in xmlParseChunk /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/parser.c:12263:13
    #9 0x7adaf4 in xmlTextReaderPushData /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:871:12
    #10 0x7a8455 in xmlTextReaderRead /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/src/xmlreader.c:1310:12
    #11 0x4080dc in XmlReader::Read() /usr/local/google/home/jcivelli/chromium/src/out/asan/../../third_party/libxml/chromium/libxml_utils.h:52:24
    #12 0x402d14 in data_decoder::XmlParser::Parse(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::OnceCallback<void (std::__1::unique_ptr<base::Value, std::__1::default_delete<base::Value> >, base::Optional<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > const&)>) /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser.cc:121:21
    #13 0x3b08ed in LLVMFuzzerTestOneInput /usr/local/google/home/jcivelli/chromium/src/out/asan/../../services/data_decoder/xml_parser_fuzzer.cc:34:14
    #14 0x3b4aa4 in main /usr/local/google/home/jcivelli/chromium/src/out/asan/../../testing/libfuzzer/unittest_main.cc:57:5
    #15 0x7f04bfc33f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287:0

This issue with libxml was exposed by the new xml_parser_fuzzer I introduced recently.
It is not a new issue, therefore not a regression. Not sure it needs to be a release blocker.

Re #13: I believe release-blocking is based on the fact that libxml is a security-critical component that gets used inside unsandboxed processes.

Attaching a somehow simplified reproducer test case.

Deleted: bad_xml 3.8 KB

bad_xml 3.8 KB View Download

I think know what the issue is.
In parser.c the call to xmlCharEncInput https://git.gnome.org/browse/libxml2/tree/parser.c#n12214 may grow the buffer. If that call fails, we return before calling xmlBufSetInputBaseCur and leaving the xmlParserInputPtr pointing to the now deleted buffer.
I tried to fix it by moving the xmlBufSetInputBaseCur call to right after the  xmlCharEncInput call, it seems to fix it.

I sent the patch to the libxml2 mailing list:
https://mail.gnome.org/archives/xml/2018-January/msg00002.html

jcivelli, it looks like that thread has stalled, maybe you could ping it to get your patch merged ASAP?

Fix was landed in libxml2:
https://git.gnome.org/browse/libxml2/commit/?id=ab362ab0ad3af54406ae8237a525405c6e2a705b

Is there any merge to Chromium branch required? Does this affect the M64 rollout at all? I'm removing RBS label since seems like fix landed in #20. 

This landed upstream in the lbxml2 repo but NOT in chromium.
We'll need to uprev our version of libxml2 to get that fix.

I have started a roll of libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c which I will complete tomorrow when I have access to my macbook.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6

commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6
Author: Joel Hockey <joelhockey@chromium.org>
Date: Fri Feb 02 04:42:45 2018

Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c

This fixes a number of bugs found on clusterfuzz.

Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
Bug:  790944 
Bug:  793715 
Bug:  796804 
Bug:  799707 
Reviewed-on: https://chromium-review.googlesource.com/897220
Commit-Queue: Joel Hockey <joelhockey@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533953}
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/README.chromium
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/configure.ac
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/parser.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6/third_party/libxml/src/xmlIO.c

ClusterFuzz has detected this issue as fixed in range 533948:533954.

Detailed report: https://clusterfuzz.com/testcase?key=5578576169795584

Fuzzer: libFuzzer_xml_parser_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x621000005eeb
Crash State:
  xmlParseGetLasts
  xmlParseTryOrFinish
  xmlParseChunk
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=519798:519832
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=533948:533954

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5578576169795584

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5578576169795584 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review

govind@ - good for 65

Approving merge to M65 branch 3325 based on comment #32. Please merge ASAP so we can pick it up for next week Beta release. Thank you.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9dc050f2480deaf9882ca95a6f214cc552ef9339

commit 9dc050f2480deaf9882ca95a6f214cc552ef9339
Author: Joel Hockey <joelhockey@chromium.org>
Date: Mon Feb 12 22:46:35 2018

Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c

This fixes a number of bugs found on clusterfuzz.

Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
Bug:  790944 
Bug:  793715 
Bug:  796804 
Bug:  799707 
Reviewed-on: https://chromium-review.googlesource.com/897220
Commit-Queue: Joel Hockey <joelhockey@chromium.org>
Reviewed-by: Scott Graham <scottmg@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#533953}(cherry picked from commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6)
Reviewed-on: https://chromium-review.googlesource.com/914448
Reviewed-by: Jay Civelli <jcivelli@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#437}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/README.chromium
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/configure.ac
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/parser.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/9dc050f2480deaf9882ca95a6f214cc552ef9339/third_party/libxml/src/xmlIO.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4be2115e0abf80619cbf702d0619520d0c4c868d

commit 4be2115e0abf80619cbf702d0619520d0c4c868d
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 18:30:55 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543766}
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/README.chromium
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/configure.ac
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parser.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/431c6dbf0a42d0c31c7dccd6553c6c496f1042a0/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/4be2115e0abf80619cbf702d0619520d0c4c868d/third_party/libxml/src/xmlIO.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0f92ca1175c89aec344326778c755ba57ef4d314

commit 0f92ca1175c89aec344326778c755ba57ef4d314
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 18:50:19 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

M-65 stable merge.

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/967021
Cr-Commit-Position: refs/branch-heads/3325@{#714}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/README.chromium
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/configure.ac
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parser.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/483290671a61fdd75600a7b7f5e4a940ba814e9b/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/0f92ca1175c89aec344326778c755ba57ef4d314/third_party/libxml/src/xmlIO.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/54a1c705833b375b124b014159dcadda02a80e9b

commit 54a1c705833b375b124b014159dcadda02a80e9b
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 19:00:42 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

M-66 merge.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/966962
Cr-Commit-Position: refs/branch-heads/3359@{#288}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/README.chromium
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/configure.ac
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parser.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/11b924f8c4a7c84bfb46e8df78e7ef8d330dc907/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/54a1c705833b375b124b014159dcadda02a80e9b/third_party/libxml/src/xmlIO.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8901956103e21b8c3461b779e99cd5d7f50f3ad

commit d8901956103e21b8c3461b779e99cd5d7f50f3ad
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 16 19:19:12 2018

Revert "Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c"

This reverts commit c0a946a4dec56ce5906a78f6e0b0c1f9e12c70b6.

Canary build branch merge.

Reason for revert: Breaks content all over the web.

Bug:  820163 ,  822673 ,  820561 ,  812148 ,  821333 

Original change's description:
> Roll libxml to 707ad080e61014ab4a6d60dc12875e233c1f673c
>
> This fixes a number of bugs found on clusterfuzz.
>
> Change-Id: Id2fa1d96e55be1e0483c135c20c20b90a068f4c3
> Bug:  790944 
> Bug:  793715 
> Bug:  796804 
> Bug:  799707 
> Reviewed-on: https://chromium-review.googlesource.com/897220
> Commit-Queue: Joel Hockey <joelhockey@chromium.org>
> Reviewed-by: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#533953}

TBR=dcheng@chromium.org,scottmg@chromium.org,joelhockey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  790944 ,  793715 ,  796804 ,  799707 
Change-Id: Ic6b934d384229b9cf9092d559b865bbe8f278f38
Reviewed-on: https://chromium-review.googlesource.com/966684
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#543766}(cherry picked from commit 4be2115e0abf80619cbf702d0619520d0c4c868d)
Reviewed-on: https://chromium-review.googlesource.com/966690
Cr-Commit-Position: refs/branch-heads/3372@{#1}
Cr-Branched-From: ad7f48548867b059f459e13c53bb8e2e96027381-refs/heads/master@{#543592}
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/README.chromium
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/HTMLparser.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/configure.ac
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parser.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/parserInternals.c
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/win32/configure.js
[delete] https://crrev.com/ad7f48548867b059f459e13c53bb8e2e96027381/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/d8901956103e21b8c3461b779e99cd5d7f50f3ad/third_party/libxml/src/xmlIO.c

This bug needs to be re-opened since we reverted the libxml roll. I will look to re-landing each fix separately.

We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I have verified that this reproduces again. I will verify it is fixed again with the next libxml roll.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380

commit f01ade19f2ee3e7037bb57acb46e3bd6d45a0380
Author: Stephen Chenney <schenney@chromium.org>
Date: Fri Mar 23 15:36:43 2018

Roll libxml to 7a1bd7f6497ac33a9023d556f6f47a48f01deac0

R=dcheng@chromium.org

Bug:  790944 , 820163 , 793715 , 796804 , 799707 , 823345 
Change-Id: I6daa6aedd8ccff792b99c228d85800dbd2dd3ec2
Reviewed-on: https://chromium-review.googlesource.com/973467
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545458}
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/README.chromium
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/chromium/roll.py
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/config.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/mac/config.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/aclocal.m4
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/configure.ac
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/libxml2.syms
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/parser.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/testapi.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/src/xpath.c
[modify] https://crrev.com/f01ade19f2ee3e7037bb57acb46e3bd6d45a0380/third_party/libxml/win32/include/libxml/xmlversion.h

Requesting an M-66 merge after this has baked on Canary.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

How does this look in Canary? 

We've had no reports of problems and no clusterfuzz or crash reports. I think we're good to go to M-66.

Branch:3359

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0b7754a48adf46c2d9a352085754d46a404ba1c

commit e0b7754a48adf46c2d9a352085754d46a404ba1c
Author: Stephen Chenney <schenney@chromium.org>
Date: Tue Mar 27 18:06:12 2018

Roll libxml to 7a1bd7f6497ac33a9023d556f6f47a48f01deac0

M-66 Cherry-pick

TBR=​dcheng@chromium.org

Bug:  790944 , 820163 , 793715 , 796804 , 799707 , 823345 
Change-Id: I6daa6aedd8ccff792b99c228d85800dbd2dd3ec2
Reviewed-on: https://chromium-review.googlesource.com/973467
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#545458}(cherry picked from commit f01ade19f2ee3e7037bb57acb46e3bd6d45a0380)
Reviewed-on: https://chromium-review.googlesource.com/981755
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#464}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/README.chromium
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/chromium/chromium-issue-628581.patch
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/chromium/roll.py
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/config.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/linux/xml2-config
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/mac/config.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/aclocal.m4
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/configure.ac
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/libxml2.syms
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/parser.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/testapi.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/Makefile.msvc
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/configure.js
[add] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/win32/libxml2.rc
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/src/xpath.c
[modify] https://crrev.com/e0b7754a48adf46c2d9a352085754d46a404ba1c/third_party/libxml/win32/include/libxml/xmlversion.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot