New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634167 link

Starred by 1 user
Status: Fixed
Owner:
dominicc@chromium.org
Last visit > 30 days ago
Closed: Oct 2016
Cc:
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::XPath::FunSubstring::evaluate

Project Member Reported by ClusterFuzz, Aug 3 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6738661486100480

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::XPath::FunSubstring::evaluate
  blink::XPathExpression::evaluate
  blink::XPathEvaluator::evaluate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (7.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95OBAf_9unInMPSsY6o1sNKi0plLmb_kZDj-6xcb-1NbUAltMLeE7_6kmWHdGNzFOUd7wcP-9zcNLWuF2UcE7khuOktRRTwb3B3MHYmj5rBguQ6IDBxb_iUeJDjamUYkfmvFtwBbVJzHqROszRsYq978iKhoA?testcase_id=6738661486100480

Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 3 2016

Cc: haraken@chromium.org sigbjo...@opera.com
Components: Blink>XML
Labels: Te-Logged M-53
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)
Author: steveblock@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9f046d9451e43797288c018ce1799d30d4c68849
Time: Mon Jul 12 10:42:38 2010
The CL last changed line 550 of file XPathFunctions.cpp, which is stack frame 0.

Author: sigbjornf@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/768e3ba5bc94e82ae90b4d2dbce1c94ba6baf1fe
Time: Mon Apr 27 10:20:35 2015
The CL last changed line 71 of file XPathExpression.cpp, which is stack frame 1.

Author: jl@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/eff07dce61b3f674c1f3b06ccf020d0624e8f991
Time: Mon Mar 09 13:50:28 2015
The CL last changed line 62 of file XPathEvaluator.cpp, which is stack frame 2.

Author: jl@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/eff07dce61b3f674c1f3b06ccf020d0624e8f991
Time: Mon Mar 09 13:50:28 2015
The CL last changed line 71 of file DocumentXPathEvaluator.cpp, which is stack frame 3.

Suspected Project: chromium
Suspected Component: Blink>XML

Comment 2 by tkent@chromium.org, Aug 3 2016

Cc: -sigbjo...@opera.com -haraken@chromium.org
Labels: -Pri-1 -M-53 Pri-2
Owner: ----
Status: Available (was: Assigned)

Comment 3 by dominicc@chromium.org, Oct 14 2016

Owner: dominicc@chromium.org
Status: Started (was: Available)
Taking a look.

Comment 4 by dominicc@chromium.org, Oct 14 2016 

This is in Blink's native XPath implementation; not libxml2. It looks like substring, etc. use static_cast<long>(double) to convert numeric arguments to double, so I guess 9223372036854775571 overflows.

Patch up at https://codereview.chromium.org/2424453002

Comment 6 by dominicc@chromium.org, Oct 31 2016

Status: Fixed (was: Started)
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment