New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630244 link

Starred by 1 user
Status: WontFix
Owner:
reed@google.com
Closed: Jul 2016
Cc:
caryclark@google.com
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in walk_convex_edges

Project Member Reported by ClusterFuzz, Jul 21 2016

Comment 1 by brajkumar@chromium.org, Jul 21 2016

Labels: -Pri-1 Findit-for-crash Te-Logged Pri-2
Owner: senorblanco@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: senorblanco
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/afc7cce5d68663934128d76963cd501f771d71de
Time: Wed Feb 03 02:44:15 2016
The CL last changed line 1743 of file SkCanvas.cpp, which is stack frame 6.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia
====================================
senorblanco@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Comment 2 by senorblanco@chromium.org, Jul 21 2016

Owner: caryclark@google.com
No filters are present in this repro case. I suspect this is (raster) path rendering related. Cary, could you take a look?

Comment 3 by caryclark@google.com, Jul 21 2016

Cc: reed@google.com

Comment 4 by reed@chromium.org, Jul 21 2016 

The overflow appears in a loop:

do {
   blit(rite);
   rite += dRite;
} while (--count >= 0);

When we hit the overflow, count is always zero, so it is a harmless overflow (in that "rite" is never used again).

Comment 5 by caryclark@google.com, Jul 21 2016

Cc: -reed@google.com caryclark@google.com
Owner: reed@google.com
Status: WontFix (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Jul 28 2016 

ClusterFuzz has detected this issue as fixed in range 407167:408336.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6711260142108672

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  walk_convex_edges
  sk_fill_path
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:408336

Minimized Testcase (2.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965gSRekt9EL017k54oCkMhuyHzX3VmS6VNAXqDWYtDJI1Uky25Q3fGgDg2S2PkruZzGMpepOHEZq0CF_a4_Vy42MjvMSpBi4SNZ8zaRP0W1pkjMm-AgSgICw0ddmh7n0VvA-bFL_u7FBfvtk81FBj0tg2OiA?testcase_id=6711260142108672

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment