New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 659224 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
ex-Googler
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in sqlite3VXPrintf

Project Member Reported by ClusterFuzz, Oct 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6531076991483904

Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  sqlite3VXPrintf
  sqlite3XPrintf
  printfFunc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95_mU2qV3d_ED4lNkWwksSGUkz0e7kAz_tJ74X73qs-h85vUTWOV1lQG5A06xsY_ZwT4Dr4t9FtWSqhJCnr999vzzlz026kG8k1R6DOcmwGxGn1Q6rs9Hp_DJ-kSFv2vVw9J3AikoMUkY7ibAUaAtvuQ9EjAg?testcase_id=6531076991483904
(SELECT printf(
'%.340282366920938463463374607431768211455o')


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Internals>Printing
Owner: sh...@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs
======================
Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Scott Hess
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/dcf12048055030a2b5858ceca5ce26294a82a6e4
Time: Tue Feb 10 21:33:29 2015
The CL last changed line 22923 of file sqlite3.c, which is stack frame 0.

Author: Scott Hess
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e0b6a82cadecbda7e005921c2416fc7afb3542aa
Time: Fri Jan 22 23:44:51 2016
The CL last changed line 23600 of file sqlite3.c, which is stack frame 1.

Author: Scott Hess
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/dcf12048055030a2b5858ceca5ce26294a82a6e4
Time: Tue Feb 10 21:33:29 2015
The CL last changed line 99889 of file sqlite3.c, which is stack frame 2.

Author: Scott Hess
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e0b6a82cadecbda7e005921c2416fc7afb3542aa
Time: Fri Jan 22 23:44:51 2016
The CL last changed line 75492 of file sqlite3.c, which is stack frame 3.

Author: shess@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/fdd072ff1b52f405ed3c2b1cfb86c6e92e5018c1
Time: Wed Apr 13 20:47:24 2011
The CL last changed line 72467 of file sqlite3.c, which is stack frame 4.

Author: shess@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/fb8f976cb2b5ce1a8e078852c67e049987edf81f
Time: Wed May 25 14:24:48 2011
The CL last changed line 72528 of file sqlite3.c, which is stack frame 5.

Author: mmoroz
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b5a889360ccf53d7da52b37e3dbc1f9d4e335292
Time: Mon Dec 28 16:49:24 2015
The CL last changed line 72 of file sqlite3_prepare_v2_fuzzer.cc, which is stack frame 6.
======================
Suspected Project: chromium

shess@: Look similar to  Issue 601727 ,could you please check if its the same.
Components: -Internals>Printing
Not printing. :)
Project Member

Comment 3 by ClusterFuzz, Nov 18 2016

ClusterFuzz has detected this issue as fixed in range 432166:432172.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6531076991483904

Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  sqlite3VXPrintf
  sqlite3XPrintf
  printfFunc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=432166:432172

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95_mU2qV3d_ED4lNkWwksSGUkz0e7kAz_tJ74X73qs-h85vUTWOV1lQG5A06xsY_ZwT4Dr4t9FtWSqhJCnr999vzzlz026kG8k1R6DOcmwGxGn1Q6rs9Hp_DJ-kSFv2vVw9J3AikoMUkY7ibAUaAtvuQ9EjAg?testcase_id=6531076991483904
(SELECT printf(
'%.340282366920938463463374607431768211455o')


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Nov 18 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment