New issue
Advanced search Search tips

Issue 676944 link

Starred by 2 users
Status: Verified
Owner:
haraken@chromium.org
Closed: Mar 2017
Cc:
nyerramilli@chromium.org
esprehn@chromium.org
thakis@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in daysFrom1970ToYear

Project Member Reported by ClusterFuzz, Dec 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4785925738725376

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  daysFrom1970ToYear
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForDate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.41 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96EQeYQrVTTuoXWFEm5viTy70m3gpML7hodVocCL1kjSdNYnv4uJsE8bZbOIs8k0L2akduYu_mPrlP4GKYZG3QG0DsUwEdWuICKDv3UkiBDOC5LqJGp5d9_Laopm-TbBlx_UZXvlIYDOcoUKamhey8JJWSNqg?testcase_id=4785925738725376
<script src=../../../resources/js-test.js></script>
<script>
var input = document.createElement('input');
function setInputAttributes(min, max, step) {
    input.min = min;
    input.step = step;
}
function stepDown(value, step, min) {
    setInputAttributes(min, null, step);
        input.stepDown();
}
input.type = 'date';
shouldBeEqualToString('stepDown("2010-02-10", "9223372036854775556", "2010-02-10")');
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Feb 9 2017

Cc: nyerramilli@chromium.org
Labels: -Type-Bug Test-Predator-Wrong M-58 Type-Bug-Regression
Owner: dpranke@chromium.org
Status: Assigned (was: Untriaged)
Predator did not find any culprit, assigning to /src/third_party/WebKit/OWNERS

dpranke@, could you please check and help.

Comment 2 by dpranke@chromium.org, Feb 9 2017

Cc: esprehn@chromium.org thakis@chromium.org
Owner: haraken@chromium.org
Looks like this is ultimately keeling over in wtf/DateMath.cpp.

haraken@/esprehn@/thakis@, please take a look and re-assign as appropriate.

Comment 3 by thakis@chromium.org, Feb 9 2017 

I'm off today, but I'd be willing to take a look if haraken and esprehn don't mind.

Comment 4 by thakis@chromium.org, Feb 9 2017 

(take a look tomorrow, that is -- I assume this isn't super urgent)

Comment 5 by esprehn@chromium.org, Feb 9 2017 

Go for it. There's no security issue here.
Project Member

Comment 6 by ClusterFuzz, Mar 18 2017 

ClusterFuzz has detected this issue as fixed in range 456626:457730.

Detailed report: https://clusterfuzz.com/testcase?key=4785925738725376

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  daysFrom1970ToYear
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForDate
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=456626:457730

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96EQeYQrVTTuoXWFEm5viTy70m3gpML7hodVocCL1kjSdNYnv4uJsE8bZbOIs8k0L2akduYu_mPrlP4GKYZG3QG0DsUwEdWuICKDv3UkiBDOC5LqJGp5d9_Laopm-TbBlx_UZXvlIYDOcoUKamhey8JJWSNqg?testcase_id=4785925738725376


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Mar 18 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4785925738725376 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment