Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.15.2
-
380d97e1bd15e753907c378a070bdf7f1c1cf06e (qt/qtbase/dev) a754477b734661bc0850fb36b3fc4b55445ff2c2 (qt/qtbase/6.0) d2c0fc2b5f1c07c1e0acb1c0127578066b6f9b8e (qt/qtbase/5.15)
Description
- Build your fuzz target for QDateTime with "-sanitize undefined".
- Let it run on the attached input file.
./fromstring input
It will report undefined behavior:
/src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:427:30: runtime error: signed integer overflow: 72000000 * 60 cannot be represented in type 'int' #0 0x51a894 in parsePosixTime(char const*, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:427:30 #1 0x51a4d4 in parsePosixOffset(char const*, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:453:17 #2 0x5108e6 in (anonymous namespace)::PosixZone::parse(char const*&, char const*) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:525:46 #3 0x50f295 in QTzTimeZoneCache::findEntry(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:685:21 #4 0x5135b4 in QTzTimeZoneCache::fetchEntry(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:850:33 #5 0x50e24e in QTzTimeZonePrivate::init(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:858:33 #6 0x50eac4 in QTzTimeZonePrivate::QTzTimeZonePrivate(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:644:5 #7 0x4fb881 in newBackendTimeZone(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezone.cpp:95:16 #8 0x4fb45e in QTimeZone::QTimeZone(QByteArray const&) /src/qt/qtbase/src/corelib/time/qtimezone.cpp:343:55 #9 0x5360cb in QDateTimeParser::findTimeZoneName(QStringRef, QDateTime const&) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1742:19 #10 0x52c739 in QDateTimeParser::findTimeZone(QStringRef, QDateTime const&, int, int) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1764:19 #11 0x52a275 in QDateTimeParser::parseSection(QDateTime const&, int, int, QString*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:796:18 #12 0x52e865 in QDateTimeParser::scanString(QDateTime const&, bool, QString*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1178:20 #13 0x53350b in QDateTimeParser::parse(QString, int, QDateTime const&, bool) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:1420:22 #14 0x537c08 in QDateTimeParser::fromString(QString const&, QDateTime*) const /src/qt/qtbase/src/corelib/time/qdatetimeparser.cpp:2129:27 #15 0x4ea1b8 in QDateTime::fromString(QString const&, QString const&, QCalendar) /src/qt/qtbase/src/corelib/time/qdatetime.cpp:5560:38 #16 0x4ea31d in QDateTime::fromString(QString const&, QString const&) /src/qt/qtbase/src/corelib/time/qdatetime.cpp:5576:12 #17 0x493b4e in LLVMFuzzerTestOneInput /src/qt/qtbase/tests/libfuzzer/corelib/time/qdatetime/fromstring/main.cpp:97:9 #18 0x444511 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #19 0x42e542 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #20 0x434885 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #21 0x45d902 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #22 0x7ff39982183f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #23 0x409938 in _start (/out/qtbase_corelib_time_qdatetime_fromstring+0x409938)
Attachments
For Gerrit Dashboard: QTBUG-88656 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
322555,3 | Add unit test reproducing integer overflow in QDateTime::fromString | dev | qt/qtbase | Status: MERGED | +2 | 0 |
323230,8 | Bounds-check time-zone offsets when parsing | dev | qt/qtbase | Status: MERGED | +2 | 0 |
324056,2 | Bounds-check time-zone offsets when parsing | 6.0 | qt/qtbase | Status: MERGED | +2 | 0 |
324057,3 | Bounds-check time-zone offsets when parsing | 5.15 | qt/qtbase | Status: MERGED | +2 | 0 |
324754,2 | fuzzing: Add recently fixed and published testcases | dev | qt/qtqa | Status: MERGED | +2 | 0 |
325167,2 | fuzzing: Add recently fixed and published testcases | master | qt/qtqa | Status: MERGED | +2 | 0 |