New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621524 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in round_down_to_int

Project Member Reported by ClusterFuzz, Jun 20 2016

Issue description

Comment 1 by mmoroz@chromium.org, Jun 20 2016

Cc: mmoroz@chromium.org mbarbe...@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Internals>Skia
Owner: hcm@chromium.org
Project Member

Comment 2 by ClusterFuzz, Jun 27 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4778981782192128

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400437:400524

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965_rE3isInK2mxm9uF1T2SYqoR6FAQNv8ILszIfOW0gFlV9nqo7ZAmwAlrXvFsanpy7de9RKuGjsgncKHii3c4ng0JGvcCQwvHik5KGQp1ZNsaoyVaMv2ogdcKRpy5zsW-vcDIQ7goaVDuyCRHFwQNzOEerA?testcase_id=4778981782192128

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Jul 12 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5831101897768960

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400437:400524

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XQ_AILAlLHGzn7pMwlpW9kTlAIn0KxxEut1-6AMJbx_iYFePe0VQOKXOqB30MnJAaXCKQ48rNI3rnbuc0QRQouAFi0nplA24XACL3L-P3LA3ApQdMATE6jtEapmVD04Jq87A7gXW8YUyCNNQq56m2oalR0A?testcase_id=5831101897768960

Filer: ajha

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 4 by hcm@chromium.org, Jul 14 2016

Cc: hcm@chromium.org
Owner: caryclark@chromium.org
Passing this to Cary now that it happened again, but still concerned about the flakiness.
Cc: caryclark@google.com
Owner: reed@google.com
Project Member

Comment 6 by ClusterFuzz, Jul 29 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6164142427996160

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400437:400524

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94tL0gYgMLwVZH6A1F6GcVlSxBjC5KGkfoAJYt4RXpxpJwJP1CdY-YdiGqU-aiXGr3Y3vfRmnXZxxHeXjUbJSuAY0fnzgfHdIsDg0rIOrWnSCxg_2gK3C0IxUIiyctFsYivsVmqLSD4mMgBIpce2miPw2l2rw?testcase_id=6164142427996160

Filer: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 7 by ClusterFuzz, Aug 3 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6104294782926848

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkScan::FillPath
  SkRegion::setPath
  SkRasterClip::setPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94NhoPHHZSaenZuGn0-1LHX-VW7zNs3xgS6l3DqH9FoBycm1IoxrCMI2uLS7r5RUEc1AaUKFQBBzO1kCFic67dQhfZ1Xsm1tUjCnIKCb4CHf6CYFqEh8KJSpGgvENga6EjZdT9I0P5C2T6pCAT_bKYaPJZXsw?testcase_id=6104294782926848
 id=tCF1>>
<script>
var canvas=document.body.appendChild(document.createElement("canvas"));
var ctx=canvas.getContext("2d")
ctx.moveTo( 169,711 );
ctx.arcTo( 409,878 , 237,63 ,0x8337139C69DB3);
ctx.clip()
</script>


Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 8 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 413961:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6164142427996160

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400437:400524
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413961:414068

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94tL0gYgMLwVZH6A1F6GcVlSxBjC5KGkfoAJYt4RXpxpJwJP1CdY-YdiGqU-aiXGr3Y3vfRmnXZxxHeXjUbJSuAY0fnzgfHdIsDg0rIOrWnSCxg_2gK3C0IxUIiyctFsYivsVmqLSD4mMgBIpce2miPw2l2rw?testcase_id=6164142427996160

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 413961:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5831101897768960

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400437:400524
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=413961:414068

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XQ_AILAlLHGzn7pMwlpW9kTlAIn0KxxEut1-6AMJbx_iYFePe0VQOKXOqB30MnJAaXCKQ48rNI3rnbuc0QRQouAFi0nplA24XACL3L-P3LA3ApQdMATE6jtEapmVD04Jq87A7gXW8YUyCNNQq56m2oalR0A?testcase_id=5831101897768960

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 27 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6418202760577024

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414692:414729

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96u8L1SAhl16wIfi5eOntkfkoOgW5kmLvOwbeac7MV3X8ee6JIwJoNrF_awrKJXEyYVhbZ8HE8U_y9yutdJFyPpXbz1k5ilaZrW1R7H-NSo9tk7eR3Xmp9RtJ-ikHhq54PmRK-x7uy6zPcqPILMa86lTB4jNA?testcase_id=6418202760577024

Issue manually filed by: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 11 by ClusterFuzz, Aug 27 2016

ClusterFuzz has detected this issue as fixed in range 414779:414830.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6418202760577024

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414692:414729
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414779:414830

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96u8L1SAhl16wIfi5eOntkfkoOgW5kmLvOwbeac7MV3X8ee6JIwJoNrF_awrKJXEyYVhbZ8HE8U_y9yutdJFyPpXbz1k5ilaZrW1R7H-NSo9tk7eR3Xmp9RtJ-ikHhq54PmRK-x7uy6zPcqPILMa86lTB4jNA?testcase_id=6418202760577024

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Aug 29 2016

Status: Assigned (was: Available)
Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/82595b6fa4733e1525f357bdcac22db058790550
Time: Tue May 10 00:48:46 2016
The CL last changed line 1100 of file SkDraw.cpp, which is stack frame 3.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/82595b6fa4733e1525f357bdcac22db058790550
Time: Tue May 10 00:48:46 2016
The CL last changed line 1193 of file SkDraw.cpp, which is stack frame 4.
Project Member

Comment 14 by ClusterFuzz, Aug 30 2016

ClusterFuzz has detected this issue as fixed in range 415035:415043.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5629908690927616

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414977:414989
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415035:415043

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97iP5_-6GZHqhXUXBanuD64qEIx9e0u6yA7fdV00JkSmkX7CnOAsVgpM42UNYMCwi-I6hGhllZuvBw2OPRwp1mIEq5vByHmdpdt305dbPc6fQx5BVyoEY1DVH5JJbkOIxyxNIGZz_E3sidUH8_33iuV2VyMZQ?testcase_id=5629908690927616

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Sep 1 2016

Project Member

Comment 16 by ClusterFuzz, Sep 28 2016

ClusterFuzz has detected this issue as fixed in range 421187:421240.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6104294782926848

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkScan::FillPath
  SkRegion::setPath
  SkRasterClip::setPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=421187:421240

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94NhoPHHZSaenZuGn0-1LHX-VW7zNs3xgS6l3DqH9FoBycm1IoxrCMI2uLS7r5RUEc1AaUKFQBBzO1kCFic67dQhfZ1Xsm1tUjCnIKCb4CHf6CYFqEh8KJSpGgvENga6EjZdT9I0P5C2T6pCAT_bKYaPJZXsw?testcase_id=6104294782926848
 id=tCF1>&gt;
<script>
var canvas=document.body.appendChild(document.createElement("canvas"));
var ctx=canvas.getContext("2d")
ctx.moveTo( 169,711 );
ctx.arcTo( 409,878 , 237,63 ,0x8337139C69DB3);
ctx.clip()
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Pri-2
Project Member

Comment 18 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by ClusterFuzz, Jan 16 2017

ClusterFuzz has detected this issue as fixed in range 443818:443834.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4791335464992768

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=415587:415619
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=443818:443834

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZnCpOrml8rBcENHWU2VjKJEkuVGaZFVmQo__yFEXkx8KkclBrbqdk8AMoTS_Y7XV0wpIZMaceq6y2aMTJnpI_pJlslPmx2_2RUeaxNyqHrOQnRqYmA0jpq6ygh7ZgiZi3DLVMXKcNo04AYavhtlZWIGCmpQ?testcase_id=4791335464992768

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 20 by ClusterFuzz, Jan 16 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4791335464992768 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment