Author: maksim.sisov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/558f168054566ecbc611918093398add04dc13a4
Time: Tue Jun 14 21:57:05 2016
The CL last changed line 320 of file time_posix.cc, which is stack frame 0.

Author: maksim.sisov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/558f168054566ecbc611918093398add04dc13a4
Time: Tue Jun 14 21:57:05 2016
The CL last changed line 542 of file time.h, which is stack frame 1.

@maksim.sisov: Request you to please take a look into it. Please help us to reassign to a right owner if not with respect to your change.

Thanks.!

Can I get an access to the detailed report?

The test case (Which I guess appears in this bug) is an FTP listing of:
1-1-9836060
05:30
0

Full output is:

[Crash Revision] r423416
[Environment] UBSAN_OPTIONS = print_stacktrace=1:external_symbolizer_path=/mnt/scratch0/clusterfuzz/scripts/linux/llvm-symbolizer:suppressions=/mnt/scratch0/clusterfuzz/scripts/suppressions/ubsan_suppressions.txt:symbolize=1:print_summary=1:halt_on_error=1

Running command: /mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-423416/net_ftp_directory_listing_fuzzer -runs=65536 -rss_limit_mb=3000 /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-3-net_ftp_directory_listing_fuzzer
WARNING: Failed to find function "__sanitizer_print_stack_trace".
INFO: Seed: 3749906644
INFO: Loaded 0 modules (0 guards):
/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-423416/net_ftp_directory_listing_fuzzer: Running 1 inputs 65536 time(s) each.
Running: /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-3-net_ftp_directory_listing_fuzzer
../../base/time/time_posix.cc:320:26: runtime error: signed integer overflow: 310333906157400000 * 1000 cannot be represented in type long
    #0 0x4afdeb in base::Time::FromExploded(bool, base::Time::Exploded const&, base::Time*) base/time/time_posix.cc:320:26
    #1 0x4ae5e4 in base::Time::FromLocalExploded(base::Time::Exploded const&) base/time/time.h:542:19
    #2 0x5617e4 in net::FtpUtil::WindowsDateListingToTime(std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, base::Time*) net/ftp/ftp_util.cc:352:13
    #3 0x560411 in net::ParseFtpDirectoryListingWindows(std::__1::vector<std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> >, std::__1::allocator<std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > > > const&, std::__1::vector<net::FtpDirectoryListingEntry, std::__1::allocator<net::FtpDirectoryListingEntry> >*) net/ftp/ftp_directory_listing_parser_windows.cc:53:10
    #4 0x55a5af in net::(anonymous namespace)::ParseListing(std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<unsigned short, base::string16_char_traits, std::__1::allocator<unsigned short> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::Time const&, std::__1::vector<net::FtpDirectoryListingEntry, std::__1::allocator<net::FtpDirectoryListingEntry> >*, net::FtpServerType*) net/ftp/ftp_directory_listing_parser.cc:71:29
    #5 0x55a20a in net::(anonymous namespace)::DecodeAndParse(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::Time const&, std::__1::vector<net::FtpDirectoryListingEntry, std::__1::allocator<net::FtpDirectoryListingEntry> >*, net::FtpServerType*) net/ftp/ftp_directory_listing_parser.cc:99:16
    #6 0x55a09b in net::ParseFtpDirectoryListing(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, base::Time const&, std::__1::vector<net::FtpDirectoryListingEntry, std::__1::allocator<net::FtpDirectoryListingEntry> >*) net/ftp/ftp_directory_listing_parser.cc:123:12
    #7 0x42c19e in LLVMFuzzerTestOneInput net/ftp/ftp_directory_listing_fuzzer.cc:18:3
    #8 0x43eb6f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:504:13
    #9 0x43f132 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:466:3
    #10 0x42d597 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:272:6
    #11 0x42e7ed in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:476:9
    #12 0x4416f2 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #13 0x7f8000299f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #14 0x410eb0 in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-423416/net_ftp_directory_listing_fuzzer+0x410eb0)


I'm happy to help investigate this, if you want, as I've mucked with fuzzers before, or if you prefer to take it all on yourself, that's great, too.

Hrm...I'm having trouble finding the docs on how to build and run a fuzzer.

I would like to download the Minimized Testcase but cannot access that. Would somebody please help me with that?

The minimized test case appears inline in the report, and just just a file with:
1-1-9836060
05:30
0

Oh, I got it. Thanks. I was able to reproduce it. Fix is on its way.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eebbdecabe619cc9887152bd9371f3e2bc7711b6

commit eebbdecabe619cc9887152bd9371f3e2bc7711b6
Author: maksim.sisov <maksim.sisov@intel.com>
Date: Mon Oct 24 14:07:27 2016

Fix Integer-overflow in base::Time::FromExploded.

The old implementation doesn't handle possible overflows,
when year is too large, for example. It makes a result
to be larger than 2^63 - 1, which results in overflow.

Fix Posix: use safe_math.h for multiplication and addition. If
overflow occurs, return possibly maximum platform dependent
value.

Fix Mac and Win: if safe cast is impossible, return Time(0).

Fix media and components: use day of week as well, as long
as unused variable results in undefined behavior and overflow

BUG= 653445 

Review-Url: https://codereview.chromium.org/2405453002
Cr-Commit-Position: refs/heads/master@{#427064}

[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/base/time/time.h
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/base/time/time_mac.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/base/time/time_posix.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/base/time/time_unittest.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/base/time/time_win.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/components/data_reduction_proxy/core/browser/data_usage_store_unittest.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/media/ffmpeg/ffmpeg_common.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/media/formats/webm/webm_info_parser.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/media/test/pipeline_integration_test.cc
[modify] https://crrev.com/eebbdecabe619cc9887152bd9371f3e2bc7711b6/net/http/http_util_unittest.cc

ClusterFuzz has detected this issue as fixed in range 427052:427072.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6620499868385280

Fuzzer: libfuzzer_net_ftp_directory_listing_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  base::Time::FromExploded
  base::Time::FromLocalExploded
  net::FtpUtil::WindowsDateListingToTime
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423338:423416
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=427052:427072

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv970E1O5AU-uA80nzgi-T-534Vrwsgh-hDcGT4qgXfMvmJPZP8SXLGqezGl2A1EvLpeNAiRtOcCeRfcxw82cmQSW_hkI7wbOpUD4SiYms4QLXY08tdz6c7Z2movLMSotky2LOzul75EshjAWsd5ZSF4UNdfwSA?testcase_id=6620499868385280
1-1-9836060
05:30
0


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot