Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[Autofill] Country/State rationalization. by parastoog@google.com - https://chromium.googlesource.com/chromium/src/+/071d725ca22fa237aa68ba705a67b2caf6af5e49

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please revert or fix soon.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fc7ebb7001a84dc60f48296195db0f5305c0246c

commit fc7ebb7001a84dc60f48296195db0f5305c0246c
Author: Parastoo Geranmayeh <parastoog@google.com>
Date: Wed Jun 27 17:34:06 2018

[Autofill] Boundary check on repeated fields rationalization.

The case where the first field was rationalized would crash.

If the first field is rationalized, and we want to apply the
rationalization to the fields before that, we would end up at
the biggest unsigned int (since it's a size_t), which would
cause a crash.
Solution: If the first field is rationalized, we don't need
to apply the rationalization to the fields before that obviously.
Just return.
Test added.

Bug:  856962 ,857011
Change-Id: I0f4471e57fa0fa8bae9b7345ce774122f25e3410
Reviewed-on: https://chromium-review.googlesource.com/1117131
Commit-Queue: Parastoo Geranmayeh <parastoog@google.com>
Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570828}
[modify] https://crrev.com/fc7ebb7001a84dc60f48296195db0f5305c0246c/components/autofill/core/browser/form_structure.cc
[modify] https://crrev.com/fc7ebb7001a84dc60f48296195db0f5305c0246c/components/autofill/core/browser/form_structure_unittest.cc

 Issue 855831  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 570827:570828.

Detailed report: https://clusterfuzz.com/testcase?key=5221859445178368

Fuzzer: ochang_search_index_mutator
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x606000c7d1f8
Crash State:
  autofill::FormStructure::RationalizeAddressStateCountry
  autofill::FormStructure::RationalizeRepeatedFields
  autofill::FormStructure::ParseQueryResponse
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=570445:570446
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=570827:570828

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5221859445178368

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5221859445178368 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The older reward-topanel  issue 855831  has been merged into this one. Please manually review this issue to see if the duplicate is potentially eligible for a reward.

Also found by internal fuzzers.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot