Undefined-shift in zucchini::BufferSource::GetSleb128 |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4696006634242048 Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: zucchini::BufferSource::GetSleb128 zucchini::CodeItemParser::GetNext zucchini::DisassemblerDex::ParseHeader Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572200:572205 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4696006634242048 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jul 3
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jul 3
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c2a778621cbcd812e2687269ba3f10132a31df12 ([Zucchini] Add dissassembler_dex Fuzzer). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jul 4
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d550e67840653dd68f49cdab0e58ca7268359bb9 commit d550e67840653dd68f49cdab0e58ca7268359bb9 Author: Calder Kitagawa <ckitagawa@chromium.org> Date: Wed Jul 04 15:29:58 2018 [Zucchini] Fix undefined shift in GetSleb128. A left shift resulting in truncation is undefined behavior on signed int types in C++. It is fine to left shift an unsigned type because there is no issues with two's complement representation or sign bits. To get around this we need to perform the shift on the uint type and recast it to a signed int type. Bug: 860067 Change-Id: Ibace5aceb17c4435d6d37d5e37a16fa781c7dd99 Reviewed-on: https://chromium-review.googlesource.com/1126169 Reviewed-by: Samuel Huang <huangs@chromium.org> Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org> Cr-Commit-Position: refs/heads/master@{#572577} [modify] https://crrev.com/d550e67840653dd68f49cdab0e58ca7268359bb9/components/zucchini/buffer_source.cc
,
Jul 4
,
Jul 5
ClusterFuzz has detected this issue as fixed in range 572576:572579. Detailed report: https://clusterfuzz.com/testcase?key=4696006634242048 Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: zucchini::BufferSource::GetSleb128 zucchini::CodeItemParser::GetNext zucchini::DisassemblerDex::ParseHeader Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572200:572205 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572576:572579 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4696006634242048 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 5
ClusterFuzz testcase 4696006634242048 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jul 3Labels: Test-Predator-Auto-Components