irssi: Integer-overflow in get_ansi_color
Project Member Reported by ClusterFuzz-External, Feb 3 2017
Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=5070269957799936 Project: irssi Fuzzer: libFuzzer_irssi_irssi-fuzz Fuzz target binary: irssi-fuzz Job Type: libfuzzer_ubsan_irssi Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: get_ansi_color strip_codes print_line Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz-external.appspot.com/download/AMIfv94JzAwylQbIVdIqYdF2MkzSj1XGSz5mjiHSHTnCSCcap8wnHKILVvUPzHHhzPudlMVxyHwELXuLQJg8hIJinLQ00Xhq95lLKQXVNR_UsxlzhEi6_bBFMq__ucsmlwt9c8JTY4nDSZ8AlnjRaHUG_0PzOLZRvuu7eOEu0xlx56L-JukFg0VkDHuNvMKAXevZOFdoBh_wWGRTm3vGpJnbmF4ctSPzi5kEFRVt9R0Tetpb7K5mF1sbJQUwnSHzGAOKmO7yw2T4i_SS1xc5AoC8ucvDoEhD2iv9CApBrYSr0w4gW3xR5cG7jb57lpsJu9ROpVpEhWh73qZAOx9OmqQvTxJhKQrW6PKEqOjOgr5h7hvv45HW4WMNwyzZiPP9Dnqiow_MIV8wSQjPYeIZQArpCjsao9puMjkeBIzvRijkVGAH8tGGs_4?testcase_id=5070269957799936 Issue filed automatically. See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without an upstream patch, then the bug report will automatically become visible to the public.
Feb 24 2017,
Mar 16 2017,
Apr 27 2017,
This bug is approaching its deadline for being fixed, and will be automatically derestricted within 7 days. If a fix is planned within 2 weeks after the deadline has passed, a grace extension can be granted. - Your friendly Sheriffbot
May 3 2017,
An extension would be nice. I've had a fix for this particular issue for a while already, but there are many similar pieces of code with the pattern "output * 10 + (*input - '0')", and there are other potential integer overflows even after that part of the number parsing is done.
May 3 2017,
Sure, we've extended the deadline by 14 days.
May 17 2017,
Here's a fix for this and the other related integer overflow issues. https://github.com/irssi/irssi/pull/706 We've decided to handle it publicly in github since I'm almost completely sure it's not security relevant (took me way too long to be sure of that, and I still think it's possible compilers could find a way to mess it up given enough evil optimizations, but even those are unlikely to have serious consequences) I guess clusterfuzz won't see the fix for a while (the PR still needs to be reviewed by the others) but of course it's okay if this gets derestricted.
May 18 2017,
This bug has exceeded our disclosure deadline. It has been opened to the public. - Your friendly Sheriffbot
Jun 17 2017,
ClusterFuzz testcase 5070269957799936 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Jun 17 2017,
Uh, does that mean it no longer reproduces against the original revision? Because it's fixed in current git master.
Sign in to add a comment