Issue metadata
Sign in to add a comment
|
Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5596678537347072 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::HTMLOListElement::parseAttribute blink::Element::attributeChanged Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96gw3sdGDxVrngG2ag-hBAed1KlP3dwby3P9lBvfWCazmpcGl5pzeP4xTQyZQRt_9MsqH0KEUKf7gA7hEUO6nTWZ-fSgHGaLuDZmg5hcTHUvGMfyuA_yfQBpkP8OLzjbzvLnTINQQzj_jzNbiho0hZquACyOQ?testcase_id=5596678537347072 <ol start=-2147483648> Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 6 2016
The test case is just: <ol start=-2147483648> That regression range doesn't make sense, I don't know why it thinks that range. Maybe the clang roll? Anyway CF thinks it's the code here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/wtf/text/StringToNumber.cpp?sq=package:chromium&type=cs&l=74 value = base * value + digitValue; I'm not sure if this one is worth fixing, all browsers I tested (Safari, Chrome, Firefox) give the same output from doing document.querySelector("ol").start which is -2147483648 so they all convert the value into the same thing, which is the same as the text value. So if we overflow we apparently still get the right result. That said this loop has this code in it: if (value > maxMultiplier || (value == maxMultiplier && digitValue > (integralMax % base) + isNegative)) goto bye; which seems like it's trying to compensate for overflow already? Maybe jyasskin@ or yutak@ know if we're doing something wrong here.
,
Aug 6 2016
,
Aug 6 2016
If value == 214748364 and digitValue == 8 == 2147483647 % 10 + 1, then we don't goto bye, and we run value = base * value + digitValue, which overflows 2147483648 to -2147483648. Then the 'if (isNegative)' block negates that to its original value, which is another undefined overflow.
,
Aug 6 2016
What would you recommend doing to fix it? :) We could copy the range checking code from base: https://cs.chromium.org/chromium/src/base/strings/string_number_conversions.cc?rcl=1470439186&l=226 we could also just switch to base's converter and use the StringPiece or StringPiece16 methods, but we'd need to fix the whitespace checks to be locale independent: https://cs.chromium.org/chromium/src/base/strings/string_number_conversions.cc?rcl=1470439186&l=95 They're using isspace and iswspace, and we can't do that since it changes the web exposed behavior.
,
Aug 7 2016
+1 for re-using code from base/. https://cs.chromium.org/chromium/src/base/strings/string_number_conversions.h isn't designed to depend on the user's locale, so it's probably an improvement to remove naïve uses of isspace.
,
Oct 11 2016
,
Nov 10 2016
Dupe of 634796 ?
,
Nov 14 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Aug 5 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)