Integer-overflow in blink::canCreateImageBuffer |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4825458961285120 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::canCreateImageBuffer blink::HTMLCanvasElement::isPaintable blink::HTMLCanvasElement::getSourceImageForCanvas Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95IS-R88kE60LmVPp-yyygzpF9PXlu7zZ6ZVNGVPFk2Cgl5J8dGWsNVoGS9MQxsehF6GLJ4Pje0-5tGrGp_QQUdm_M2i4p_6QJvT4HH8Ahdg6nTymQuqOrFvw30a1-3z1HS4JnnfUxN6rolJ0d0MRoNqQx69A?testcase_id=4825458961285120 <script> var canvas = document.createElement("canvas"); var patternCanvas = document.createElement("canvas"); patternCanvas.width = 300000; patternCanvas.height = 300000; var ctx = canvas.getContext("2d"); pattern = ctx.createPattern(patternCanvas, "repeat"); </script> Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/29622ffb0f2116f242bcddb38aec7a9100dda7ea commit 29622ffb0f2116f242bcddb38aec7a9100dda7ea Author: xidachen <xidachen@chromium.org> Date: Thu Jul 21 18:35:56 2016 Fix integer over flow issue in HTMLCanvasElement::canCreateImageBuffer Right now in this method, it does a size.width() * size.height(), and that could cause integer overflow. This CL fix that by using CheckedNumeric<int>. BUG= 630024 Review-Url: https://codereview.chromium.org/2170693003 Cr-Commit-Position: refs/heads/master@{#406914} [modify] https://crrev.com/29622ffb0f2116f242bcddb38aec7a9100dda7ea/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
,
Jul 22 2016
ClusterFuzz has detected this issue as fixed in range 406906:406944. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4825458961285120 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::canCreateImageBuffer blink::HTMLCanvasElement::isPaintable blink::HTMLCanvasElement::getSourceImageForCanvas Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=406906:406944 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95IS-R88kE60LmVPp-yyygzpF9PXlu7zZ6ZVNGVPFk2Cgl5J8dGWsNVoGS9MQxsehF6GLJ4Pje0-5tGrGp_QQUdm_M2i4p_6QJvT4HH8Ahdg6nTymQuqOrFvw30a1-3z1HS4JnnfUxN6rolJ0d0MRoNqQx69A?testcase_id=4825458961285120 <script> var canvas = document.createElement("canvas"); var patternCanvas = document.createElement("canvas"); patternCanvas.width = 300000; patternCanvas.height = 300000; var ctx = canvas.getContext("2d"); pattern = ctx.createPattern(patternCanvas, "repeat"); </script> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 22 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Jul 20 2016Components: Blink>HTML
Labels: Te-Logged M-52
Owner: sebastienlc@google.com
Status: Assigned (was: Untriaged)