New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 631413 link

Starred by 1 user
Status: Fixed
Owner:
dgro...@chromium.org
Closed: Sep 2016
Cc:
a.suchit@chromium.org
nyerramilli@chromium.org
jchaffraix@chromium.org
dgro...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in blink::LayoutTableSection::distributeRemainingExtraLogicalHeight

Project Member Reported by ClusterFuzz, Jul 26 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5227755017076736

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutTableSection::distributeRemainingExtraLogicalHeight
  blink::LayoutTableSection::distributeExtraLogicalHeightToRows
  blink::LayoutTable::distributeExtraLogicalHeight
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95940khAcZ1r_xaeCwKnMtNC1hb51R_-w47l61zZAOyupnCMIdOgkJvurD5rL6MXvoK6tIvFfLhMjhR63G-B6mO_7E7cJrFQ_b4os7uGQb59sLXsEtY31vDFjNvxWuDU7Kuf1HTN1Lj3upI1xOfIMxzFSO9Uw?testcase_id=5227755017076736
<table><tr><style>
* { animation-name: cfpulse93; height: calc(65422% - 96px);


Additional requirements: Requires HTTP

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Jul 26 2016

Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>WrongResult
Labels: -Type-Bug findit-wrong Te-Logged M-52 Type-Bug-Regression
Owner: dgro...@chromium.org
Status: Assigned (was: Untriaged)
providing Findit results for internal purpose:

Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: jchaffraix@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7857621ec878b0213ef0598dbec4ee35e34d3c92
Time: Tue Mar 20 21:02:34 2012
The CL last changed line 913 of file LayoutTableSection.cpp, which is stack frame 0.

Author: jchaffraix@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7857621ec878b0213ef0598dbec4ee35e34d3c92
Time: Tue Mar 20 21:02:34 2012
The CL last changed line 945 of file LayoutTableSection.cpp, which is stack frame 1.

Author: jchaffraix@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7857621ec878b0213ef0598dbec4ee35e34d3c92
Time: Tue Mar 20 21:02:34 2012
The CL last changed line 390 of file LayoutTable.cpp, which is stack frame 2.

Author: leviw@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4e561fb8a914c3a7fd75ae5e1bcc446418b69b92
Time: Thu Mar 20 19:16:36 2014
The CL last changed line 537 of file LayoutTable.cpp, which is stack frame 3.

Author: mstensho@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/bbdbf9ffa99ba94466aa14a698a7b0ccbf05eaff
Time: Mon Sep 07 09:07:52 2015
The CL last changed line 654 of file LayoutBlockFlow.cpp, which is stack frame 4.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fe283ea1ad33abe251cbb4a921f7f836085bab82
Time: Fri Mar 11 14:19:18 2016
The CL last changed line 704 of file LayoutBlockFlow.cpp, which is stack frame 5.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fe283ea1ad33abe251cbb4a921f7f836085bab82
Time: Fri Mar 11 14:19:18 2016
The CL last changed line 1189 of file LayoutBlockFlow.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Layout
-------------------------------

using codesearch, seeing some recent changes to 'LayoutTableSection.cpp' in 
https://chromium.googlesource.com/chromium/src/+/40bb88335c64b80aea9326ef3cf6220dcd90c1bc

dgrogan@, Could you please check the above issue & help us in finding an owner it its not yours.

Comment 2 by dgro...@chromium.org, Aug 25 2016

Cc: a.suchit@chromium.org jchaffraix@chromium.org
 Issue 632631  has been merged into this issue.

Comment 3 by dgro...@chromium.org, Aug 31 2016

Components: -Tools>Test>FindIt>WrongResult Blink>Layout>Table

Comment 4 by dgro...@chromium.org, Sep 6 2016

Status: Fixed (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9258f7b0502c95dd9cf3cf4756416fc180b42278

commit 9258f7b0502c95dd9cf3cf4756416fc180b42278
Author: dgrogan <dgrogan@chromium.org>
Date: Tue Sep 06 20:42:55 2016

Add Length::isPercent and use it in tables

We could previously crash when a td had a calc height with a percent.

Rename Length::hasPercent -> Length::isPercentOrCalc, which affects many
files.

Our code was confused: it called Length::percent after checking
Length::hasPercent, but Length::hasPercent returns true for calc lengths
which don't have a legitimate percent. This failed a DCHECK in debug but
can cause crashes in release.

The only logic change is in LayoutTableSection.cpp.

BUG= 631413 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2286543002
Cr-Commit-Position: refs/heads/master@{#416715}

[add] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/LayoutTests/fast/table/integer-overflow-crash-expected.txt
[add] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/LayoutTests/fast/table/integer-overflow-crash.html
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/animation/CSSFontSizeInterpolationType.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/animation/CSSLengthInterpolationType.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/animation/LengthPropertyFunctions.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/css/ComputedStyleCSSValueMapping.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/css/resolver/StyleAdjuster.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutBlock.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutBox.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutDeprecatedFlexibleBox.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutFileUploadControl.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutFlexibleBox.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutImage.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutInline.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutListBox.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutMenuList.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutObject.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutReplaced.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutSlider.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutTextControl.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutTextControlSingleLine.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/LayoutView.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/TableLayoutAlgorithmAuto.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/TableLayoutAlgorithmFixed.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/TextAutosizer.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/line/RootInlineBox.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/layout/ng/ng_length_utils.cc
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/paint/BackgroundImageGeometry.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/style/ComputedStyle.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/style/GridLength.h
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/core/svg/SVGLengthContext.cpp
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/platform/Length.h
[modify] https://crrev.com/9258f7b0502c95dd9cf3cf4756416fc180b42278/third_party/WebKit/Source/platform/transforms/TranslateTransformOperation.h
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment