Integer-overflow in SkIRect::width |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4741976021008384 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::width SkCanvas::resetForNextPicture SkRecorder::reset Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (1.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94P7Q2nT0awW8NUO4eLUvBOxD0QDUU3Nh5UN0FWvCr2uAMlqvX2I7L0y1_vr26gn-N8xd434Ptls7i9muVG6b0lkVa5xGV2VwIQ9rrXCqXT-Iyb7phKMSDs9inIfenO-opNJS9WqN-oNcf2rXXKPtQ6T3OeHw?testcase_id=4741976021008384 Filer: brajkumar See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 18 2016
My change doesn't seem related sorry. I don't know anything about Skia so assigning back to brajkumar
,
Jul 19 2016
,
Jul 25 2016
,
Jul 25 2016
Looping in chromium//src/third_party/OWNERS as the suspected CL's shown above are not recent. brettw@, can you please take a look at this issue and assign it accordingly ?
,
Jul 25 2016
,
Jul 26 2016
Integer overflow in Skia rects is statistically almost never a security problem. Skia team will look at this.
,
Aug 3 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4607939820388352 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::width SkBlurMask::BoxBlur SkDraw::DrawToMask Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv975Cb6fkjyQVyiPC_omFtjepOn0imgMHisrpZdp7rpG8y4k1m2gke5vLnetDdc3BsQ3YhrfD1IyTTgFTgY-Fz4TfWFEqZnQ8cxEHTjx2YNhSay9f2AwgAz0KaN8CkbMOgFKNrKhws8L9jJA59OihrPwTelEKQ?testcase_id=4607939820388352 zoo: moo;<style> .c21 { list-style-type: upper-alpha; box-shadow: 143px 61px 3px 1560659125px blue;</style><script> var docElement = document.body ? document.body : document.documentElement; tCF57 = document.createElementNS("http://www.w3.org/1999/xhtml", "space"); tCF57.setAttribute("class", "c21"); docElement.appendChild(tCF57); </script> Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5937524793147392 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkBlurMask::BoxBlur SkDraw::DrawToMask SkMaskFilter::filterPath Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vOPx9q3cU0GIKtd9TG8i4-uBxOaTbozF7M-dFNzXFH8wBu9MkJDmJEEQcpfm2-VBGJagTm69R3HtWdvtgKl7rDbYDxQNp3J6eeqmVal_XN8rOyDrKIpW1hlzWx5bzDk8BVO9t7lxW3PoSfugzi-LUdcLb_Q?testcase_id=5937524793147392 Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
ClusterFuzz testcase 4607939820388352 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by brajkumar@chromium.org
, Jul 18 2016Owner: ortuno@chromium.org
Status: Assigned (was: Available)