New issue
Advanced search Search tips

Issue 637115 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::DateComponents::setMillisecondsSinceEpochForDateInternal

Project Member Reported by ClusterFuzz, Aug 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6319533554139136

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForMonth
  blink::MonthInputType::serializeWithMilliseconds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yctS7pG_o1XQw1_aMk-2IZFv-nfmsgE_rzjCWl7Ck40a5brLmKDD6s0QpSTboxPC24WlvnZid-JsR8fSwwjMqpyfHT30oLvRmBYXeV71kvlds5LXkRAMBF_mizW9-05b72sJ8Ib9VKtaB1IxGs81FajXP6A?testcase_id=6319533554139136

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink
Components: -Blink Blink>Forms
Status: Untriaged (was: Available)

Comment 4 by tkent@chromium.org, Aug 16 2016

Components: -Blink>Forms Blink>Forms>Month
Labels: -Pri-1 -Stability-Crash Pri-2
Status: Available (was: Untriaged)

Comment 5 by tkent@chromium.org, Aug 19 2016

Owner: tkent@chromium.org
Status: Started (was: Available)

Comment 6 by tkent@chromium.org, Aug 19 2016

Components: Blink>Bindings
<script>
var input = document.createElement('input');
input.type = 'month';
input.valueAsDate = 05377022086653303310336655187750422721070650652831469313347243422849202732683897448288893744076100883077274089071520802427789632371765707632070325628880081340926386171353484412352154770678776658997581832098642139;
</script>

I realized this was a binding issue. valueAsDate setter should throw TypeError in this case.

https://www.w3.org/TR/WebIDL/#es-Date
> 1. If V is not an ECMAScript Date object, then throw a TypeError.


Project Member

Comment 7 by bugdroid1@chromium.org, Aug 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/338614224cc310e73e59496869000ef87b46e6c1

commit 338614224cc310e73e59496869000ef87b46e6c1
Author: tkent <tkent@chromium.org>
Date: Mon Aug 22 05:47:05 2016

Fix an overflow in valueAsDate setter of temporal input types.

According to the HTML specification [1], we should throw a TypeError if a non-Date
object is specified to valueAsDate.
 - Update toCoreDate() so that it throws a TypeError for non-Date objects.
 - Also, add DCHECKs to WTF::msToYear.

Note: Web IDL CR doesn't accept |null| for Date conversion [2]. However the
specification itself is deprecated.

[1] https://html.spec.whatwg.org/multipage/forms.html#dom-input-valueasdate
[2] https://www.w3.org/TR/WebIDL/#es-Date

BUG= 637115 

Review-Url: https://codereview.chromium.org/2265443002
Cr-Commit-Position: refs/heads/master@{#413410}

[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/date/input-valueasdate-date-expected.txt
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/date/input-valueasdate-date.html
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/month/input-valueasdate-expected.txt
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/month/input-valueasdate.html
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/time/time-valueasdate-expected.txt
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/LayoutTests/fast/forms/time/time-valueasdate.html
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/scripts/v8_types.py
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp
[modify] https://crrev.com/338614224cc310e73e59496869000ef87b46e6c1/third_party/WebKit/Source/wtf/DateMath.cpp

Comment 8 by tkent@chromium.org, Aug 22 2016

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Aug 23 2016

ClusterFuzz has detected this issue as fixed in range 413409:413414.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6319533554139136

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForMonth
  blink::MonthInputType::serializeWithMilliseconds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413409:413414

Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yctS7pG_o1XQw1_aMk-2IZFv-nfmsgE_rzjCWl7Ck40a5brLmKDD6s0QpSTboxPC24WlvnZid-JsR8fSwwjMqpyfHT30oLvRmBYXeV71kvlds5LXkRAMBF_mizW9-05b72sJ8Ib9VKtaB1IxGs81FajXP6A?testcase_id=6319533554139136

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment