Integer-overflow in dmg_fp::strtod |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5657528149213184 Fuzzer: libfuzzer_string_to_int_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: dmg_fp::strtod base::StringToDouble _start Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94ziGf1ckNiTqEYxOgGuX_okBGf9y1vMRLJKzkdZeNGALj860RGzM97XKYSYCwodJ0V64gbpA1sTL0I3-LC_BPI687IOjawrF47dIHR7f1pdXX2b46RoDxDhHKAkONcA-SgiPtAT51Y-t5YEBTmcCLyE_kdOQ?testcase_id=5657528149213184 00E4000000000 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 26 2016
Fixing warnings does not mean I understand any of that cryptic code or know how to touch it in a way that will fix this sort of bug and not reduce performance. dmg_fp is scary stuff. We have a lot of bugs on file about dmg_fp ( https://bugs.chromium.org/p/chromium/issues/list?q=dmg_fp ), and at least two suggest replacing it with other functionality: bug 95729 and bug 593512. Maybe it's time to get on that. Based on bug 616062 comment 6, I'm assigning this to Scott.
,
Aug 26 2016
I can keep it assigned to me, but I won't be attempting to fix these either. I did try to remove it, but all that came out of it was some tests in https://codereview.chromium.org/2044643005 which fail on some linux bots. I will at some point again try to see if we can upgrade whatever toolchain/stdlib those are using and hopefully at that point it can go.
,
Aug 27 2016
ClusterFuzz has detected this issue as fixed in range 414779:414830. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5657528149213184 Fuzzer: libfuzzer_string_to_int_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: dmg_fp::strtod base::StringToDouble _start Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414779:414830 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94ziGf1ckNiTqEYxOgGuX_okBGf9y1vMRLJKzkdZeNGALj860RGzM97XKYSYCwodJ0V64gbpA1sTL0I3-LC_BPI687IOjawrF47dIHR7f1pdXX2b46RoDxDhHKAkONcA-SgiPtAT51Y-t5YEBTmcCLyE_kdOQ?testcase_id=5657528149213184 00E4000000000 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmoroz@chromium.org
, Aug 26 2016Owner: pkasting@chromium.org