Stackoverflow [OSS-Fuzz - 50355]

Issue #543 resolved
Henry Lin created an issue

Uncaught exception in java.base/java.util.ArrayList.hashCode

Stacktrace and crashing input attached.

It’s maybe a bit similar to anther issue already created

Bug Chromium link:

Comments (10)

  1. Chad Wilson

    For others that arrive here, it looks like this one has also had a separate public CVE created without affected or fixed versions in the description. Sigh.

    For now that seems to just create noise in OSSIndex which seems to treat it as “all versions” affected. Not yet analyzed by NIST NVD so not showing up on scanners - but probably more noise impending. Have contacted OSSIndex to get corrected. Will pause on contacting NIST NVD until they have analysed since it is not yet reporting as false positive there.

    Looks like this was also fixed in 1.32 by the same commit as that which fixed #531 per my comment at

    To also note that OSSFuzz automation considered it fixed on Sep 12 when 1.32 was released:

  2. Chad Wilson

    FWIW, this has been analyzed by NIST NVD now, and they consider it fixed in 1.32 which is good, so not expecting noise from naive NVD-based scanner tooling. OSSIndex got back to me, I think their research team are still looking at it to consider its relationship to #531 and the earlier CVE-2022-38752

  3. Chad Wilson

    This has been updated/corrected on OSSIndex now, so the false positives should stop for this one.

  4. Log in to comment