Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/ab61a76223b2b14b4e3b348dae07e727be3cc2c7 (Fix variable type in base_json_reader_fuzzer.cc.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=6321195008655360

Fuzzer: libFuzzer_base_json_reader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6030000013d5
Crash State:
  base::internal::JSONParser::ConsumeStringRaw
  base::internal::JSONParser::ConsumeDictionary
  base::internal::JSONParser::ParseToken
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=542607:542625

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321195008655360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

ClusterFuzz has detected this issue as fixed in range 543216:543230.

Detailed report: https://clusterfuzz.com/testcase?key=5758075638906880

Fuzzer: libFuzzer_base_json_reader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x605000002114
Crash State:
  base_icu::utf8_nextCharSafeBody
  base::internal::JSONParser::ConsumeStringRaw
  base::internal::JSONParser::ConsumeString
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=542607:542625
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=543216:543230

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5758075638906880

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Ignore c#9, since testcase changed after fuzzer change. So, repro in c#8 is current now.

ClusterFuzz has detected this issue as fixed in range 545272:545281.

Detailed report: https://clusterfuzz.com/testcase?key=6321195008655360

Fuzzer: libFuzzer_base_json_reader_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6030000013d5
Crash State:
  base::internal::JSONParser::ConsumeStringRaw
  base::internal::JSONParser::ConsumeDictionary
  base::internal::JSONParser::ParseToken
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=542607:542625
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=545272:545281

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321195008655360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6321195008655360 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f3322d752f4eb6326b194a5f9f378f9fe9a422ee

commit f3322d752f4eb6326b194a5f9f378f9fe9a422ee
Author: Robert Sesek <rsesek@chromium.org>
Date: Thu Mar 22 22:40:17 2018

Hardening and cleanup of base::JSONParser.

- Access the input stream through StringPiece, which now performs bounds
  checking (https://crbug.com/817982), rather than raw char pointers.
- Add additional release-mode bounds checking in parser-advance functions.
- Stop keeping two pieces of iterator state (pos_ and index_) in favor of
  just one.
- Replace direct use of CBU8_ macros for reading and writing UTF-8 and
  UTF-16 data with the utf_string_conversion_utils.h wrappers.

Bug: 489301,  821364 ,  822120 
Change-Id: I80be7e3d8bc92714b7d04dadcb85c9f49101c87c
Reviewed-on: https://chromium-review.googlesource.com/962998
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545274}
[modify] https://crrev.com/f3322d752f4eb6326b194a5f9f378f9fe9a422ee/base/json/json_parser.cc
[modify] https://crrev.com/f3322d752f4eb6326b194a5f9f378f9fe9a422ee/base/json/json_parser.h
[modify] https://crrev.com/f3322d752f4eb6326b194a5f9f378f9fe9a422ee/base/json/json_parser_unittest.cc
[modify] https://crrev.com/f3322d752f4eb6326b194a5f9f378f9fe9a422ee/base/json/json_reader.cc
[modify] https://crrev.com/f3322d752f4eb6326b194a5f9f378f9fe9a422ee/base/json/json_reader.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot