New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 654324 link

Starred by 1 user
Status: Fixed
Owner:
rob.buis@chromium.org
Last visit > 30 days ago
Closed: Oct 2016
Cc:
nyerramilli@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in int WTF::toIntegralType<int, unsigned char>

Project Member Reported by ClusterFuzz, Oct 10 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5344036326211584

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  int WTF::toIntegralType<int, unsigned char>
  blink::parseHTMLInteger
  blink::Element::parseAttribute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=423512:423881

Minimized Testcase (0.03 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96K4X71Ez_XYgtAdtm5dO9Pm4a0RSW71YnMsY9n45QEYAHW3APM30XTAhf5HzlE-tqvW-UT0HQ9x8ZV7-nUPhGR_ZHXcwObM0xnBQ0Mc_JjKT9nsVjCd4vA-VrKGwW3HBRHTjy33vFQakzSJWIk0CXHDpOEbA?testcase_id=5344036326211584
<pre tabindex=-2147483648>


Issue manually filed by: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Oct 10 2016

Cc: nyerramilli@chromium.org
Components: Blink>HTML
Labels: Findit-for-crash M-56 ToolsTestsFindItCorrectResult
Owner: rob.buis@chromium.org
Status: Assigned (was: Untriaged)
Findit results:
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: rob.buis
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/54a7c25c0044c02449ee9366c9323ca1d2461b29
Time: Thu Oct 06 18:30:21 2016
Lines 205-207 of file HTMLParserIdioms.cpp which potentially caused crash are changed in this cl (frame #1, "parseHTMLIntegerInternal").
Minimum distance from crash line to modified line: 0. (file: HTMLParserIdioms.cpp, crashed on: 205, modified: 205).

Suspected Project: chromium
Suspected Component: Blink>HTML


based on Findit results, assigning to rob.buis@, could you please check the issue.

Comment 2 by nyerramilli@chromium.org, Oct 10 2016

Components: Tools>Test>FindIt>CorrectResult
Labels: -ToolsTestsFindItCorrectResult

Comment 3 by infe...@chromium.org, Oct 11 2016

Labels: Pri-2

Comment 4 by tkent@chromium.org, Oct 12 2016

Labels: -Type-Bug -M-56 M-55 Type-Bug-Regression
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 13 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cbfd866cbc7981e453dfd9afae669daa567b5cb2

commit cbfd866cbc7981e453dfd9afae669daa567b5cb2
Author: rob.buis <rob.buis@samsung.com>
Date: Thu Oct 13 16:37:21 2016

Fix parseHTMLInteger

In r423595 I made a change that caused toIntegralType to be called with
input std::numeric_limits<int>::min which it can't handle because it relies
on an intermediate integer to store the value. So inline the calculation and
use an unsigned integer for the calculation, casting to int when returning.

BUG= 654324 

Review-Url: https://codereview.chromium.org/2411713002
Cr-Commit-Position: refs/heads/master@{#425055}

[modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdioms.cpp
[modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdioms.h
[modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdiomsTest.cpp

Comment 6 by rob.b...@samsung.com, Oct 13 2016

Status: Fixed (was: Assigned)
Should be fixed by r425055.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment