Crash in util::printd when printing invalid (negative) dates. |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6561652381319168 Fuzzer: ifratric_pdf_generic Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: InvalidParameter util::printd JSMethod<util,&util::printd> Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=443510:443512 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95tOMWuhOSLYZ7WxJJNzYKv0bRxxm3E9vMEQuJw7JS0qXPs5lHC60Mh0Wm8ut9TEO0FD5xtq7BAMkZdMDGwqcdUfEjipdRj8D4P-pvyeasbMzRQNMShlDwZxyidqjgNdWW4evmN4eStLxmjMUCGBaTgwV3FM-ea2EgTjzuTYXvb4GqTeY3Zk1CdyWU0qzxH79Q9uVgfboSGXOeXptP0q35xWAvMPCqdXuwY5mq7Y2PRpJEypcnGONFPWbuXbs-ltuzRvwy5BSV2ICmDxAZBRya9bPHVbfZTIzZfab8F0f-lvmOyb_TMMQKIMVCp_dUgDTf47FLwQQxe43bBZacRSVFQZs1_Jqy_NiyHqQqlyMikOnH2T9oer32GHIewD3SLf1ltB-YHzQUOOFnP4z4F9nXEbS43YA?testcase_id=6561652381319168 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 21 2017
wcsftime is being called with a format string of "11/30/%y" and a tm struct with a negative year (-1901). As per https://msdn.microsoft.com/en-us/library/fe06s4ak.aspx, wcsftime therefore blows up due to invalid parameters. Why is this happening? Walking up the function, we see that time.tm_year is set thusly: time.tm_year = iYear - 1900; So iYear must be -1 in this case. iYear comes from: int iYear = jsDate.GetYear(pRuntime); It's hard to tell, but I think that printd is being called with a date that is the current time, but a year of -1. The fix may be as simple as rejecting negative dates. Perhaps this is new due to a change in V8's date handling. Assigning to tsepez since he seems to have touched this code.
,
Apr 21 2017
+bruce for vast win knowledge. Ideally, we'd like to just get an error return back from the failed wcsftime() call, rather than trying to guess what inputs might provoke it and filter them out prior to the call. OTOH, I can see why we might want to get crash reports from other places where this happens. Is there a way to make it so?
,
Apr 21 2017
So... Microsoft's wcsftime is documented here: https://msdn.microsoft.com/en-us/library/fe06s4ak.aspx and it says "This function validates its parameters. If strDest, format, ortimeptr is a null pointer, or if the tm data structure addressed by timeptr is invalid (for example, if it contains out of range values for the time or date), or if the format string contains an invalid formatting code, the invalid parameter handler is invoked, as described in Parameter Validation." There is a link to discussion of parameter validation at https://msdn.microsoft.com/en-us/library/ksazx244.aspx which talks about overriding the error handling. So that is an option, in which case this applies: "If execution is allowed to continue, the function returns 0 and sets errno to EINVAL." So you could use _set_thread_local_invalid_parameter_handler to temporarily set a per-thread invalid parameter handler. But I'm not sure I'd recommend that. Sticking with the fail-fast policy is probably best, unless validating the times and dates is impractical, in which case temporarily setting the callback would be reasonable.
,
Apr 24 2017
https://pdfium-review.googlesource.com/c/4454/8/core/fxcrt/fx_system.cpp Hmm ... couldn't make handler work, seems to just crash on these bad inputs. I'll try pre-validation.
,
Apr 24 2017
Pre-validation is probably better anyway. Those handlers are not a great concept, and may be poorly tested.
,
Apr 24 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Apr 19 2017Labels: M-60 Test-Predator-Wrong