Detailed report: https://clusterfuzz.com/testcase?key=5058033718394880

Fuzzer: libFuzzer_base_json_string_escape_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000000
Crash State:
  void base::StringAppendVT<std::__1::basic_string<char, std::__1::char_traits<cha
  base::StringAppendF
  bool base::EscapeJSONStringImpl<base::BasicStringPiece<std::__1::basic_string<ch
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5058033718394880

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.