New issue
Advanced search Search tips

Issue 676944 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Mar 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in daysFrom1970ToYear

Project Member Reported by ClusterFuzz, Dec 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4785925738725376

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  daysFrom1970ToYear
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForDate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.41 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96EQeYQrVTTuoXWFEm5viTy70m3gpML7hodVocCL1kjSdNYnv4uJsE8bZbOIs8k0L2akduYu_mPrlP4GKYZG3QG0DsUwEdWuICKDv3UkiBDOC5LqJGp5d9_Laopm-TbBlx_UZXvlIYDOcoUKamhey8JJWSNqg?testcase_id=4785925738725376
<script src=../../../resources/js-test.js></script>
<script>
var input = document.createElement('input');
function setInputAttributes(min, max, step) {
    input.min = min;
    input.step = step;
}
function stepDown(value, step, min) {
    setInputAttributes(min, null, step);
        input.stepDown();
}
input.type = 'date';
shouldBeEqualToString('stepDown("2010-02-10", "9223372036854775556", "2010-02-10")');
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org
Labels: -Type-Bug Test-Predator-Wrong M-58 Type-Bug-Regression
Owner: dpranke@chromium.org
Status: Assigned (was: Untriaged)
Predator did not find any culprit, assigning to /src/third_party/WebKit/OWNERS

dpranke@, could you please check and help.
Cc: esprehn@chromium.org thakis@chromium.org
Owner: haraken@chromium.org
Looks like this is ultimately keeling over in wtf/DateMath.cpp.

haraken@/esprehn@/thakis@, please take a look and re-assign as appropriate.
I'm off today, but I'd be willing to take a look if haraken and esprehn don't mind.
(take a look tomorrow, that is -- I assume this isn't super urgent)
Go for it. There's no security issue here.
Project Member

Comment 6 by ClusterFuzz, Mar 18 2017

ClusterFuzz has detected this issue as fixed in range 456626:457730.

Detailed report: https://clusterfuzz.com/testcase?key=4785925738725376

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  daysFrom1970ToYear
  blink::DateComponents::setMillisecondsSinceEpochForDateInternal
  blink::DateComponents::setMillisecondsSinceEpochForDate
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=456626:457730

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96EQeYQrVTTuoXWFEm5viTy70m3gpML7hodVocCL1kjSdNYnv4uJsE8bZbOIs8k0L2akduYu_mPrlP4GKYZG3QG0DsUwEdWuICKDv3UkiBDOC5LqJGp5d9_Laopm-TbBlx_UZXvlIYDOcoUKamhey8JJWSNqg?testcase_id=4785925738725376


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Mar 18 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4785925738725376 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment