Integer-overflow in blink::DateComponents::setMillisecondsSinceEpochForDateInternal |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6319533554139136 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::DateComponents::setMillisecondsSinceEpochForDateInternal blink::DateComponents::setMillisecondsSinceEpochForMonth blink::MonthInputType::serializeWithMilliseconds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yctS7pG_o1XQw1_aMk-2IZFv-nfmsgE_rzjCWl7Ck40a5brLmKDD6s0QpSTboxPC24WlvnZid-JsR8fSwwjMqpyfHT30oLvRmBYXeV71kvlds5LXkRAMBF_mizW9-05b72sJ8Ib9VKtaB1IxGs81FajXP6A?testcase_id=6319533554139136 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 12 2016
,
Aug 12 2016
,
Aug 16 2016
,
Aug 19 2016
,
Aug 19 2016
<script>
var input = document.createElement('input');
input.type = 'month';
input.valueAsDate = 05377022086653303310336655187750422721070650652831469313347243422849202732683897448288893744076100883077274089071520802427789632371765707632070325628880081340926386171353484412352154770678776658997581832098642139;
</script>
I realized this was a binding issue. valueAsDate setter should throw TypeError in this case.
https://www.w3.org/TR/WebIDL/#es-Date
> 1. If V is not an ECMAScript Date object, then throw a TypeError.
,
Aug 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/338614224cc310e73e59496869000ef87b46e6c1 commit 338614224cc310e73e59496869000ef87b46e6c1 Author: tkent <tkent@chromium.org> Date: Mon Aug 22 05:47:05 2016 Fix an overflow in valueAsDate setter of temporal input types. According to the HTML specification [1], we should throw a TypeError if a non-Date object is specified to valueAsDate. - Update toCoreDate() so that it throws a TypeError for non-Date objects. - Also, add DCHECKs to WTF::msToYear. Note: Web IDL CR doesn't accept |null| for Date conversion [2]. However the specification itself is deprecated. [1] https://html.spec.whatwg.org/multipage/forms.html#dom-input-valueasdate [2] https://www.w3.org/TR/WebIDL/#es-Date BUG= 637115 Review-Url: https://codereview.chromium.org/2265443002 Cr-Commit-Position: refs/heads/master@{#413410} [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/date/input-valueasdate-date-expected.txt [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/date/input-valueasdate-date.html [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/month/input-valueasdate-expected.txt [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/month/input-valueasdate.html [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/time/time-valueasdate-expected.txt [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/time/time-valueasdate.html [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/core/v8/V8Binding.h [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/scripts/v8_types.py [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp [modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/wtf/DateMath.cpp
,
Aug 22 2016
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 413409:413414. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6319533554139136 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::DateComponents::setMillisecondsSinceEpochForDateInternal blink::DateComponents::setMillisecondsSinceEpochForMonth blink::MonthInputType::serializeWithMilliseconds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413409:413414 Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yctS7pG_o1XQw1_aMk-2IZFv-nfmsgE_rzjCWl7Ck40a5brLmKDD6s0QpSTboxPC24WlvnZid-JsR8fSwwjMqpyfHT30oLvRmBYXeV71kvlds5LXkRAMBF_mizW9-05b72sJ8Ib9VKtaB1IxGs81FajXP6A?testcase_id=6319533554139136 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by tkonch...@chromium.org
, Aug 12 2016