Integer-overflow in uprv_decNumberFromString_60 |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5042115544612864 Fuzzer: libFuzzer_icu_number_format_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: uprv_decNumberFromString_60 icu_60::DigitList::set icu_60::DecimalFormat::subparse Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=525422:525449 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5042115544612864 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Dec 22 2017
Issue 796811 has been merged into this issue.
,
Dec 23 2017
Issue 642853 has been merged into this issue.
,
Dec 23 2017
,
Dec 23 2017
From bug 642853 : Line 630 of decNumber.c ( https://cs.chromium.org/chromium/src/third_party/icu/source/i18n/decNumber.c?rcl=0&l=630 ) has an 'undefined behavior' because X10(e) is expanded to |(e<<3) + (e<<1)| for e >= (2^31-1 / 8). The author of the code lets it overflow intentionally. See lines 636 ~ 638. [1] 626 for (; *c=='0' && *(c+1)!='\0';) c++; /* strip insignificant zeros */ 627 firstexp=c; /* save exponent digit place */ 628 for (; ;c++) { 629 if (*c<'0' || *c>'9') break; /* not a digit */ 630 exponent=X10(exponent)+(Int)*c-(Int)'0'; 631 } /* c */ 632 /* if not now on a '\0', *c must not be a digit */ 633 if (*c!='\0') break; 634 635 /* (this next test must be after the syntax checks) */ 636 /* if it was too long the exponent may have wrapped, so check */ 637 /* carefully and set it to a certain overflow if wrap possible */ 638 if (c>=firstexp+9+1) { 639 if (c>firstexp+9+1 || *firstexp>'1') exponent=DECNUMMAXE*2; 640 /* [up to 1999999999 is OK, for example 1E-1000000998] */ 641 } 642 if (nege) exponent=-exponent; /* was negative */ 643 status=0; /* is OK */ 644 } /* stuff after digits */ Lines 136 ~ 142 have ( https://cs.chromium.org/chromium/src/third_party/icu/source/i18n/decNumber.c?rcl=0&l=136 ) : 136 /* 4. Exponent checking is minimized by allowing the exponent to */ 137 /* grow outside its limits during calculations, provided that */ 138 /* the decFinalize function is called later. Multiplication and */ 139 /* division, and intermediate calculations in exponentiation, */ 140 /* require more careful checks because of the risk of 31-bit */ 141 /* overflow (the most negative valid exponent is -1999999997, for */ 142 /* a 999999999-digit number with adjusted exponent of -999999999). */ ------------------------- I wonder if something similar to http://bugs.icu-project.org/trac/changeset/38782 (casting) would work for ubsan.
,
Dec 25 2017
,
Jan 17 2018
Filed an upstream bug at http://bugs.icu-project.org/trac/ticket/13550 .
,
Jan 30 2018
The upstream may rewrite the part in question before long.
,
Feb 10 2018
,
Feb 19 2018
An upstream has a 2-line fix (int => uint).
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/deps/icu.git/+/aff99f5c22aded55ee29753ce049e61570294967 commit aff99f5c22aded55ee29753ce049e61570294967 Author: Jungshik Shin <jshin@chromium.org> Date: Thu Apr 12 20:51:41 2018 Cherry pick 3 patches from the upstream * Fix the undefined behavior in decimal number parsing http://bugs.icu-project.org/trac/changeset/40950 * Fix the handling of non-BMP characters in CJK breakiterator http://www.icu-project.org/trac/changeset/40949 * Limit the recursion depth of UnicodeSet pattern http://bugs.icu-project.org/trac/changeset/40979 TBR=inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Test: See the bugs. Change-Id: I1a8909371b601f36faca911039b10d36c7a92c85 Reviewed-on: https://chromium-review.googlesource.com/1009001 Reviewed-by: Jungshik Shin <jshin@chromium.org> [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/README.chromium [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/cjkdict_nonbmp.patch [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/number_ub.patch [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/uset_depth.patch [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/dictbe.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/unicode/uniset.h [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_closure.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_props.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/i18n/decNumber.cpp
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add Author: Jungshik Shin <jshin@chromium.org> Date: Fri Apr 13 00:33:00 2018 Roll ICU to aff99f5 There are two changes: https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5 $ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s' 2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream 2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix for long word selection TBR=mark@chromium.org,inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Bug: chromium:829144, chromium:473288 Test: See the two ICU cls above. Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439 Reviewed-on: https://chromium-review.googlesource.com/1011238 Reviewed-by: Jungshik Shin <jshin@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#550435} [modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS
,
Apr 13 2018
ClusterFuzz has detected this issue as fixed in range 550416:550448. Detailed report: https://clusterfuzz.com/testcase?key=5042115544612864 Fuzzer: libFuzzer_icu_number_format_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: uprv_decNumberFromString_60 icu_60::DigitList::set icu_60::DecimalFormat::subparse Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=525422:525449 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=550416:550448 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5042115544612864 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 13 2018
ClusterFuzz testcase 5042115544612864 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add Author: Jungshik Shin <jshin@chromium.org> Date: Fri Apr 13 00:33:00 2018 Roll ICU to aff99f5 There are two changes: https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5 $ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s' 2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream 2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix for long word selection TBR=mark@chromium.org,inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Bug: chromium:829144, chromium:473288 Test: See the two ICU cls above. Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439 Reviewed-on: https://chromium-review.googlesource.com/1011238 Reviewed-by: Jungshik Shin <jshin@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#550435} [modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS
,
Apr 25 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/82e8c77b1e704e509f1a8aefa4f5e3380943405d commit 82e8c77b1e704e509f1a8aefa4f5e3380943405d Author: Jungshik Shin <jungshik@google.com> Date: Wed Apr 25 16:57:19 2018 |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by kkaluri@chromium.org
, Dec 22 2017Components: Blink
Labels: M-65 Test-Predator-Wrong
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)