hmm I wrote a fuzzer for GetSwitchValueFromCommandLine in https://chromium-review.googlesource.com/c/chromium/src/+/1155941 and it finds a lot of crashes.

even when setting second param (which should be controlled by Chrome) to something fixed like "--no-sandbox" it still crashes.

Seems to crash on the same emplace_back.

A fix is up at https://chromium-review.googlesource.com/c/chromium/src/+/1155991.

With this fix in place I reach *almost* 100% of the tested functions on code coverage, there's two lines with no coverage:

http://shortn/_BZGEmNFdea

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b46f6f20da2b5c2bd62eac17e5ff5c253429941a

commit b46f6f20da2b5c2bd62eac17e5ff5c253429941a
Author: Will Harris <wfh@chromium.org>
Date: Tue Jul 31 19:30:59 2018

Fix crash in TokenizeCommandLineToArray.

Previously, a command line where the first argument had an unterminated
double-quote would cause a crash.

This CL also has some cleanup of dead code.

BUG= 869194 

Change-Id: I20fa0814e35c5d10ab3ad76047c8233297f14a8d
Reviewed-on: https://chromium-review.googlesource.com/1155991
Commit-Queue: Will Harris <wfh@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579526}
[modify] https://crrev.com/b46f6f20da2b5c2bd62eac17e5ff5c253429941a/chrome/install_static/install_util.cc
[modify] https://crrev.com/b46f6f20da2b5c2bd62eac17e5ff5c253429941a/chrome/install_static/install_util_unittest.cc

this should be fixed but I'll run the fuzzer overnight locally to make sure.

This is technically a wild read, although this is likely not exploitable since an attacker would need to control the command line to Chrome. But we could consider merging to M69.

i'd support a merge for stability reasons. the fix includes test coverage (and is fuzzed), so the worst case is that it exposes a different crash later in startup (which we certainly need to discover). do you think that's a legit reason not to merge?

FWIW (in support of a merge) this is one of the top non-third-party crash in WER (Windows Error Reporting), which is where crashes go when crashpad doesn't catch them. Crashpad isn't catching this because it occurs so early in startup.

Your change meets the bar and is auto-approved for M69. Please go ahead and merge the CL to branch 3497 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b5d28848fc62ecd1c3d04e4db6b604fe2a05a4a

commit 8b5d28848fc62ecd1c3d04e4db6b604fe2a05a4a
Author: Will Harris <wfh@chromium.org>
Date: Thu Aug 02 22:12:06 2018

Merge M69: Fix crash in TokenizeCommandLineToArray.

Previously, a command line where the first argument had an unterminated
double-quote would cause a crash.

This CL also has some cleanup of dead code.

BUG= 869194 

(cherry picked from commit b46f6f20da2b5c2bd62eac17e5ff5c253429941a)

Change-Id: I20fa0814e35c5d10ab3ad76047c8233297f14a8d
Reviewed-on: https://chromium-review.googlesource.com/1155991
Commit-Queue: Will Harris <wfh@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#579526}
Reviewed-on: https://chromium-review.googlesource.com/1161384
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/branch-heads/3497@{#357}
Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753}
[modify] https://crrev.com/8b5d28848fc62ecd1c3d04e4db6b604fe2a05a4a/chrome/install_static/install_util.cc
[modify] https://crrev.com/8b5d28848fc62ecd1c3d04e4db6b604fe2a05a4a/chrome/install_static/install_util_unittest.cc

:( Thanks Will.