Integer-overflow in computeYMD |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5217030656753664 Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: computeYMD dateFunc sqlite3VdbeExec Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681 Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944sJ4cBQUHvcBqWb47mOULxkPEU48rvIf_T0lb1Oz9Aokw6wFoU5-NrXKx7jWQQ0qg0drJh8fiknsVNsz5fyLNizQbzrxIhgMtOpFXiohu09i2HkRwO9PpuiZUPUG7hKssOYoV09we6HisuBhKF38wkuFj7w?testcase_id=5217030656753664 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jan 18 2017
Find it and CL did not provide any possible suspect. Using code search for file "sqlite3_prepare_v2_fuzzer.cc" from frame #5 suspecting the below change Review URL: https://codereview.chromium.org/2497603002 mmoroz@ - Observed some changes on this file so assigning to you, could you please check if this is caused with respect to your change, if not please help us in reassign the issue to the right owner. Thanks!
,
Jan 18 2017
shess@, mind taking a look?
,
Jan 18 2017
Huh, I remember analyzing one of these in computeYMD, but I can't find the results anywhere. This calls datE(00000000000000000000000000000002148480359), which is going to have some insane results (it's like 5M years). dateFunc() returns results as a string via snprintf(), so I don't think these can leak out in untoward fashion. SQLite trunk has various numeric limits in place to protect against egregious year counts, presumably because of clusterfuzz results, so it will clear up when I import a new release (we're about due).
,
Mar 21 2017
ClusterFuzz has detected this issue as fixed in range 458107:458176. Detailed report: https://clusterfuzz.com/testcase?key=5217030656753664 Fuzzer: libfuzzer_sqlite3_prepare_v2_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: computeYMD dateFunc sqlite3VdbeExec Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=414663:414681 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=458107:458176 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94ZqK6NjPaBLJVrGCZv6SHig_RKe7hX3K4zAQquC15V_cwH_keeRnts6wSx35WhOzSbSVZEgUlYBblFTwVE2gt5BvifX09bexwRZ779QALS-hk2Vh6GtfZsGg1iiMkvJ7N4G9wzyYDeqhOROqVQ414V3kUqbQbOHjI5FNpPHIbNlisIQcGRxmWJXY-0qXAGYIc_h_RogzlkEex4R5Ziy7CDk0hy8mjMDD3ns5A0QSAUt4_bB2ec727Ex1wctCx4DJoVQdrk6lhU7PzxL5NYkdj_uJZlx5qBkytV9WtWjGixh-wq8GuCs10xLaCK6IN63GoHpvjK6ogROO9j8hO7ANUX0kqF6svDDgjv-c_TBsz6MeWB8e0?testcase_id=5217030656753664 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2017
ClusterFuzz testcase 5217030656753664 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ajha@chromium.org
, Nov 23 2016