CHECK failure: content_size < 1000000U in mime_sniffer.cc |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6655451323432960 Fuzzer: libFuzzer_net_mime_sniffer_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: content_size < 1000000U in mime_sniffer.cc net::SniffMimeType mime_sniffer_fuzzer.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=419732:419790 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6655451323432960 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 6 2018
Automatically adding ccs based on suspected regression changelists: Fix race condition when calling "connect" on iOS. by sdefresne@chromium.org - https://chromium.googlesource.com/chromium/src/+/8df022ff5fc36b01f417f155457af67e585fb629 Adds new logging type SYSLOG which logs to the system log. by pastarmovj@chromium.org - https://chromium.googlesource.com/chromium/src/+/89f7ee10f03d696276adf1cdc901c949a2e091d4 Replace key_exchange_info with key_exchange_group. by davidben@chromium.org - https://chromium.googlesource.com/chromium/src/+/3b00e401f7b0b6ee5ed9df06acf7d3c46b12966a If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Jan 7 2018
+mmenke. This isn't hugely interesting. The mime sniffer just has a size check at the front because callers don't call it on anything large. Either the fuzzer should have an appropriate max length, or the DCHECK should be move from net::SniffMimeType to its callers.
,
Jan 7 2018
Has the size limit of the fuzzer been increased? I thought it maxed out at significantly less than 1 MB bytes.
,
Jan 8 2018
,
Jan 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dad84e3fbe16bbc74c91b4a73f8f9a0accd088f7 commit dad84e3fbe16bbc74c91b4a73f8f9a0accd088f7 Author: Matt Menke <mmenke@chromium.org> Date: Tue Jan 16 19:16:02 2018 net_mime_sniffer_fuzzer: Truncate input that is too large. The MIME sniffer has a DCHECK to make sure it isn't run on a buffer that's too large, to protect against misuse. This CL makes the fuzzer do nothing its input when it's passed too much data. Bug: 799748 Change-Id: Iab689971f3a08890fe914756e56896bbec9b4f1c Reviewed-on: https://chromium-review.googlesource.com/854596 Commit-Queue: Matt Menke <mmenke@chromium.org> Reviewed-by: Asanka Herath <asanka@chromium.org> Cr-Commit-Position: refs/heads/master@{#529486} [modify] https://crrev.com/dad84e3fbe16bbc74c91b4a73f8f9a0accd088f7/net/base/mime_sniffer_fuzzer.cc
,
Jan 17 2018
ClusterFuzz has detected this issue as fixed in range 529476:529490. Detailed report: https://clusterfuzz.com/testcase?key=6655451323432960 Fuzzer: libFuzzer_net_mime_sniffer_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: content_size < 1000000U in mime_sniffer.cc net::SniffMimeType mime_sniffer_fuzzer.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=419732:419790 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529476:529490 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6655451323432960 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 17 2018
ClusterFuzz testcase 6655451323432960 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jan 6 2018Labels: Test-Predator-Auto-Components