Issue 627780 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ caryclark@google.com Last visit > 30 days ago
Closed:	Jul 2016
Cc:	ajha@chromium.org █ bsalomon@chromium.org reed@google.com
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Te-Logged Stability-Crash Reproducible M-54 Stability-Libfuzzer Clusterfuzz Stability-UndefinedBehaviorSanitizer

Integer-overflow in SkTAbs<int>

Project Member Reported by ClusterFuzz, Jul 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5903539155238912

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkTAbs<int>
  UseInnerWinding
  SkOpSegment::markAngle
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043

Minimized Testcase (0.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95N1GCC0AXU9vZE9ttbeXbd10wDSMj9nk2J9FmYvHszq3ClmDvXIgIf3L44HcxwKWa0AOnTIp1uP80Ju2JRmEv2sYATdxCR0fM-2b6dt-Javh9JCCV5-zPt9MKKWLbIZVgg0Vtan_HKZsU5kePlnCWdWhjmfg?testcase_id=5903539155238912

Filer: ajha

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by ajha@chromium.org, Jul 13 2016

Cc: ajha@chromium.org bsalomon@chromium.org
Components: Tools>Test>FindIt>NoResult
Labels: M-54 Te-Logged
Owner: reed@chromium.org
Status: Assigned (was: Available)

Suspected CLs	Findit could not find any suspected CLs.

Suspected Project: chromium



Unable to find the exact suspect using the Code search. 

Assigining to Skia owner reed@(chromium//src/third_party/skia/OWNERS) for help in investigating this further.

Comment 2 by reed@google.com, Jul 13 2016

Cc: reed@google.com
Owner: caryclark@google.com

Comment 3 by caryclark@google.com, Jul 13 2016

Status: Started (was: Assigned)

Isolated test case:

static void fuzz763_3(skiatest::Reporter* reporter, const char* filename) {
    SkPath path;
    path.setFillType((SkPath::FillType) 1);

    SkPath path1(path);
    path.reset();
    path.setFillType((SkPath::FillType) 0);
path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.lineTo(SkBits2Float(0x555b292d), SkBits2Float(0x2a212a8c));  // 1.50606e+13f, 1.43144e-13f
path.conicTo(SkBits2Float(0xc0032108), SkBits2Float(0x7a6a4b7b), SkBits2Float(0x212a8ced), SkBits2Float(0x0321081f), SkBits2Float(0x6a3a7bc0));  // -2.04889f, 3.04132e+35f, 5.77848e-19f, 4.7323e-37f, 5.63611e+25f
path.conicTo(SkBits2Float(0x3a2147ed), SkBits2Float(0xdf28282a), SkBits2Float(0x3a8a3a21), SkBits2Float(0x8a284f9a), SkBits2Float(0x3ac23ab3));  // 0.000615238f, -1.2117e+19f, 0.00105459f, -8.10388e-33f, 0.00148185f
path.cubicTo(SkBits2Float(0x1d2a2928), SkBits2Float(0x63962be6), SkBits2Float(0x272a812a), SkBits2Float(0x295b2d29), SkBits2Float(0x2a685568), SkBits2Float(0x68295b2d));  // 2.25206e-21f, 5.54035e+21f, 2.36623e-15f, 4.86669e-14f, 2.06354e-13f, 3.19905e+24f
path.conicTo(SkBits2Float(0x2a8c555b), SkBits2Float(0x081f2a21), SkBits2Float(0x7bc00321), SkBits2Float(0x7a6a4b77), SkBits2Float(0x3a214726));  // 2.49282e-13f, 4.78968e-34f, 1.99397e+36f, 3.04132e+35f, 0.000615226f
path.moveTo(SkBits2Float(0x8adf2028), SkBits2Float(0x3a219a3a));  // -2.14862e-32f, 0.000616464f
path.quadTo(SkBits2Float(0x3ab38e28), SkBits2Float(0x29283ac2), SkBits2Float(0x2be61d2a), SkBits2Float(0x812a4396));  // 0.0013699f, 3.73545e-14f, 1.63506e-12f, -3.12726e-38f

    SkPath path2(path);
    testPathOp(reporter, path1, path2, (SkPathOp) 1, filename);
}

Comment 4 by caryclark@google.com, Jul 19 2016

Fixed? I can't locally repro with ToT

Project Member

Comment 5 by ClusterFuzz, Jul 19 2016

ClusterFuzz has detected this issue as fixed in range 406065:406218.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5903539155238912

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkTAbs<int>
  UseInnerWinding
  SkOpSegment::markAngle
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=406065:406218

Minimized Testcase (0.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95N1GCC0AXU9vZE9ttbeXbd10wDSMj9nk2J9FmYvHszq3ClmDvXIgIf3L44HcxwKWa0AOnTIp1uP80Ju2JRmEv2sYATdxCR0fM-2b6dt-Javh9JCCV5-zPt9MKKWLbIZVgg0Vtan_HKZsU5kePlnCWdWhjmfg?testcase_id=5903539155238912

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by caryclark@google.com, Jul 19 2016

Status: Fixed (was: Started)

Comment 7 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult

Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 627780 link

Issue metadata

Integer-overflow in SkTAbs<int>

Issue description

Comment 1 by ajha@chromium.org, Jul 13 2016

Comment 1 Deleted

Comment 2 by reed@google.com, Jul 13 2016

Comment 2 Deleted

Comment 3 by caryclark@google.com, Jul 13 2016

Comment 3 Deleted

Comment 4 by caryclark@google.com, Jul 19 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Jul 19 2016

Comment 5 Deleted

Comment 6 by caryclark@google.com, Jul 19 2016

Comment 6 Deleted

Comment 7 by kateso...@chromium.org, Oct 18 2016

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Comment 8 Deleted

Sign in to add a comment