New issue
Advanced search Search tips

Issue 819469 link

Starred by 1 user
Status: Duplicate
Owner: ----
Closed: Mar 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Fatal error: unreachable code in runtime-intl.cc

Reported by scdengy...@gmail.com, Mar 7 2018 
VULNERABILITY DETAILS
IcuDateFieldIdToDateType UDAT_RELATED_YEAR_FIELD not handle which cause a UNREACHABLE() crash

VERSION
Chrome Version: [64.0.3282.186] + [stable]
Operating System: [OS X 10.13.3]

REPRODUCTION CASE
poc.js:
var date1 = new Date('1995, 11, 17');
var dateti1 = new Intl.DateTimeFormat("az-Cyrl-u-ca-chinese");
dateti1.formatToParts(date1);

crash log:
#0  0xf1e7e1ce in v8::base::OS::Abort() () at ../../src/base/platform/platform-posix.cc:381
#1  0xf1e40b0b in V8_Fatal(char const*, int, char const*, ...) () at ../../src/base/logging.cc:170
#2  0xf595a240 in v8::internal::(anonymous namespace)::IcuDateFieldIdToDateType(int, v8::internal::Isolate*) () at ../../src/runtime/runtime-intl.cc:329
#3  0xf59598b6 in v8::internal::(anonymous namespace)::AddElement(v8::internal::Handle<v8::internal::JSArray>, int, int, icu_60::UnicodeString const&, int, int, v8::internal::Isolate*) () at ../../src/runtime/runtime-intl.cc:341
#4  0xf5940819 in __RT_impl_Runtime_InternalDateFormatToParts () at ../../src/runtime/runtime-intl.cc:403
#5  0xf593f2c8 in v8::internal::Runtime_InternalDateFormatToParts(int, v8::internal::Object**, v8::internal::Isolate*) () at ../../src/runtime/runtime-intl.cc:360
Project Member

Comment 1 by ClusterFuzz, Mar 7 2018 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5216858521993216.

Comment 2 by mbarbe...@chromium.org, Mar 7 2018

Mergedinto: 770448
Status: Duplicate (was: Unconfirmed)
Looks like the same poc as issue 770448
Project Member

Comment 3 by ClusterFuzz, Mar 7 2018 

Detailed report: https://clusterfuzz.com/testcase?key=5216858521993216

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f1b54d51c18
Crash State:
  IcuDateFieldIdToDateType
  v8::internal::AddElement
  v8::internal::__RT_impl_Runtime_InternalDateFormatToParts
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45141:45142

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5216858521993216

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 4 by ClusterFuzz, Apr 12 2018 

ClusterFuzz has detected this issue as fixed in range 52555:52556.

Detailed report: https://clusterfuzz.com/testcase?key=5216858521993216

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7fd7f2d0df88
Crash State:
  IcuDateFieldIdToDateType
  v8::internal::AddElement
  v8::internal::__RT_impl_Runtime_InternalDateFormatToParts
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45141:45142
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=52555:52556

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5216858521993216

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 14 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment