New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629063 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Use other robhogan account instead.
Closed: Dec 17
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::TableLayoutAlgorithmAuto::shrinkColumnWidth

Project Member Reported by ClusterFuzz, Jul 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5131491806019584

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::shrinkColumnWidth
  blink::TableLayoutAlgorithmAuto::layout
  blink::LayoutTable::layout
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95js-iExYX1CnSFHKC2T86ymXqQr7yh-OhoWF627gFvc50bR3ArmkWO-lqvs4SSipDbMseABsT_O4SGEF_VhE_X04lmjTsuFbAJsHcCeGNFWAM6vLYP1M95WXdAL5ZaAT4mk2ib2a_ZnB89U1L-B8qhB6Hw9A?testcase_id=5131491806019584
<table>
        <colgroup id=tCF44>                <td id=tCF57</style><style>
.c22 { padding-left: 255px garbage; width: 4294967149vw;</style><script>
tCF44.setAttribute("class", "c22");
</script>


Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: -Pri-1 findit-for-crash Te-Logged Pri-2
Owner: msten...@opera.com
Status: Assigned (was: Available)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fe283ea1ad33abe251cbb4a921f7f836085bab82
Time: Fri Mar 11 14:19:18 2016
The CL last changed line 704 of file LayoutBlockFlow.cpp, which is stack frame 4.


Suspected Project: chromium
Suspected Component: Blink>Layout
=================================
mstensho@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!
Project Member

Comment 2 by ClusterFuzz, Aug 5 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4930644402765824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::layout
  blink::LayoutTable::layout
  blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9474VZyTW6VIzjUtYiWMSqMnThRGq_rIEgCi4pzwYwH9xSOJ3ygZIGsfdkVFtTOiwMG7SBp5IZjH4KrSBfmvO0CD-XNF2R4HnNCu8ZkWVIJyLuCs1ImrEHUgLujVD0zMlWqCjjtFZZ3Eh26bHU-2NQmdUE2Tg?testcase_id=4930644402765824
<table>
 <colgroup><td><style>
@keyframes cfpulse1 { 0% { opacity: 0.9272;  } 
 100% { opacity: 0.479;  } }
* { animation-name: cfpulse62; width: calc(32679 * 101%);


Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by msten...@opera.com, Aug 9 2016

Cc: msten...@opera.com
Owner: robho...@gmail.com
Maybe use LayoutUnit or some floating point type instead, to avoid overflow?
@mstensho - no point in just fixing this specific instance though - we should swap out the use of int completely from TableLayoutAlgorithmAuto.cpp?

Comment 5 by msten...@opera.com, Aug 15 2016

That would be great too, but I think this one is special:

            int reduce = available * minMaxDiff / logicalWidthBeyondMin;

It multiplies two potentially large ints, which seems rather unusual.
Looking into it further LayoutUnit isn't a great fit for positioning cells unless we want to introduce subpixel width and positioning. That will be fun.

So yeah, I think I'll just squash these overflows as they come up after all. :)


Components: Blink>Layout
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by robho...@gmail.com, Dec 14 2016

Owner: robhogan@chromium.org

Comment 10 by ta...@google.com, Jul 30 2017

Cc: dtapu...@chromium.org robhogan@chromium.org
 Issue 676592  has been merged into this issue.
Project Member

Comment 11 by ClusterFuzz, Jul 30 2017

Detailed report: https://clusterfuzz.com/testcase?key=6613798105645056

Job Type: linux_ubsan_chrome
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::UpdateLayout
  blink::LayoutTable::UpdateLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6613798105645056


See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 12 by ClusterFuzz, Oct 1 2017

Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Project Member

Comment 14 by ClusterFuzz, Apr 18 2018

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=5131491806019584

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::shrinkColumnWidth
  blink::TableLayoutAlgorithmAuto::layout
  blink::LayoutTable::layout
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5131491806019584

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Apr 18 2018

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=4930644402765824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::UpdateLayout
  blink::LayoutTable::UpdateLayout
  blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4930644402765824

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: ifratric@google.com
 Issue 836643  has been merged into this issue.
Status: Fixed (was: Assigned)
Project Member

Comment 18 by ClusterFuzz, Dec 24

Labels: Needs-Feedback
ClusterFuzz testcase 6215738638204928 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment