New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 525 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
Type: Bug



Sign in to add a comment

irssi: Integer-overflow in get_ansi_color

Project Member Reported by ClusterFuzz-External, Feb 3 2017

Issue description

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=5070269957799936

Project: irssi
Fuzzer: libFuzzer_irssi_irssi-fuzz
Fuzz target binary: irssi-fuzz
Job Type: libfuzzer_ubsan_irssi
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  get_ansi_color
  strip_codes
  print_line
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz-external.appspot.com/download/AMIfv94JzAwylQbIVdIqYdF2MkzSj1XGSz5mjiHSHTnCSCcap8wnHKILVvUPzHHhzPudlMVxyHwELXuLQJg8hIJinLQ00Xhq95lLKQXVNR_UsxlzhEi6_bBFMq__ucsmlwt9c8JTY4nDSZ8AlnjRaHUG_0PzOLZRvuu7eOEu0xlx56L-JukFg0VkDHuNvMKAXevZOFdoBh_wWGRTm3vGpJnbmF4ctSPzi5kEFRVt9R0Tetpb7K5mF1sbJQUwnSHzGAOKmO7yw2T4i_SS1xc5AoC8ucvDoEhD2iv9CApBrYSr0w4gW3xR5cG7jb57lpsJu9ROpVpEhWh73qZAOx9OmqQvTxJhKQrW6PKEqOjOgr5h7hvv45HW4WMNwyzZiPP9Dnqiow_MIV8wSQjPYeIZQArpCjsao9puMjkeBIzvRijkVGAH8tGGs_4?testcase_id=5070269957799936


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.
 
Project Member

Comment 1 by ochang@google.com, Feb 24 2017

Labels: Engine-libfuzzer
Project Member

Comment 2 by ClusterFuzz-External, Mar 16 2017

Labels: OS-Linux
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 27 2017

Labels: Deadline-Approaching
This bug is approaching its deadline for being fixed, and will be automatically derestricted within 7 days. If a fix is planned within 2 weeks after the deadline has passed, a grace extension can be granted.

- Your friendly Sheriffbot

Comment 4 by d...@dxzone.com.ar, May 3 2017

An extension would be nice.

I've had a fix for this particular issue for a while already, but there are many similar pieces of code with the pattern "output * 10 + (*input - '0')", and there are other potential integer overflows even after that part of the number parsing is done.
Project Member

Comment 5 by ochang@google.com, May 3 2017

Labels: Deadline-Grace
Sure, we've extended the deadline by 14 days.

Comment 6 by d...@dxzone.com.ar, May 17 2017

Here's a fix for this and the other related integer overflow issues.

https://github.com/irssi/irssi/pull/706

We've decided to handle it publicly in github since I'm almost completely sure it's not security relevant (took me way too long to be sure of that, and I still think it's possible compilers could find a way to mess it up given enough evil optimizations, but even those are unlikely to have serious consequences)

I guess clusterfuzz won't see the fix for a while (the PR still needs to be reviewed by the others) but of course it's okay if this gets derestricted.
Project Member

Comment 7 by sheriffbot@chromium.org, May 18 2017

Labels: -restrict-view-commit -deadline-approaching Deadline-Exceeded
This bug has exceeded our disclosure deadline. It has been opened to the public.

- Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz-External, Jun 17 2017

Status: WontFix (was: New)
ClusterFuzz testcase 5070269957799936 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 9 by d...@dxzone.com.ar, Jun 17 2017

Uh, does that mean it no longer reproduces against the original revision? Because it's fixed in current git master.

Sign in to add a comment