Issue metadata
Sign in to add a comment
|
Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6265339107344384 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::SVGInteger::setValueAsString blink::SVGElement::parseAttribute Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=377178:377240 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96j8btU6eNVEc-LKqsJ5hRXg6f9wMB-lRm83y4hGkIVJQFjTyAHedGO94tr26-nPLrjtqwCqSfiJd6wrKN2fxOq4mzj5ZMl7ki7HlYbonamfnx2u8RHSLkx1Un6WbxA5XpAhXUbjhttw97TSTEq4Wf0M_bsvg?testcase_id=6265339107344384 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 3 2016
esprehn @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
,
Nov 3 2016
This is a huge number overflowing inside an SVG animation when parsing an attribute value. What do other browsers do here? We can make toIntegralType do saturated math, but that just makes parsing all ints across the platform slower, it's not clear why having an overflow here is an issue.
,
Nov 3 2016
,
Nov 4 2016
I did a quick test [1], and it seems both Gecko and Edge clamp to int range. There ought to be no need for saturated math, since there's an overflow check in place already, so just setting appropriate values there ought to do, no? I guess there's a non-trivial amount of callers to the various to[U]Int*/characterTo[U]Int* methods though, so I guess some form of migration would be required... (I need to take a look at the actual test though, because as mentioned, there's supposed to be a overflow check there already...) [1] https://jsfiddle.net/j3ebbfhn/1/
,
Nov 4 2016
(to have a look at the TC/ubsan output)
,
Nov 4 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
,
Dec 14 2016
ClusterFuzz has detected this issue as fixed in range 435261:438085. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6265339107344384 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::SVGInteger::setValueAsString blink::SVGElement::parseAttribute Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=377178:377240 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96j8btU6eNVEc-LKqsJ5hRXg6f9wMB-lRm83y4hGkIVJQFjTyAHedGO94tr26-nPLrjtqwCqSfiJd6wrKN2fxOq4mzj5ZMl7ki7HlYbonamfnx2u8RHSLkx1Un6WbxA5XpAhXUbjhttw97TSTEq4Wf0M_bsvg?testcase_id=6265339107344384 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmohammad@chromium.org
, Nov 2 2016