New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633413 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in position_mark

Project Member Reported by ClusterFuzz, Aug 1 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4567209162833920

Fuzzer: libfuzzer_harfbuzz_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  position_mark
  position_around_base
  position_cluster
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746

Minimized Testcase (10.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rI7PWThfDmijLzi2MVOlV1auVRqqbv-r81Uq5eiNokLdVQ2YvrakFhbXTVhU_maDvrgas3z-PuLkMXTfhXQEGu6aaNQ9u1k4oTKRHVgc9sZZQy76D5q0Pt_y3Es-1MCwgBaHIRXMw4292oKfUuW6g2MWnMw?testcase_id=4567209162833920

Additional requirements: Requires Gestures

Filer: mummareddy

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: js...@chromium.org bashi@chromium.org
Components: Blink>Fonts
Labels: Te-Logged M-53
Status: Available (was: Untriaged)
From findit tool:

	No CL in the regression range changes the crashed files. The result is the blame information.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 235 of file hb-ot-shape-fallback.cc, which is stack frame 0.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 370 of file hb-ot-shape-fallback.cc, which is stack frame 1.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 409 of file hb-ot-shape-fallback.cc, which is stack frame 2.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 427 of file hb-ot-shape-fallback.cc, which is stack frame 3.

Author: jshin@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/307f7bdd33cf295aac89b436982d40d8ba63fc6a
Time: Fri Jan 11 20:33:21 2013
The CL last changed line 724 of file hb-ot-shape.cc, which is stack frame 4.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 768 of file hb-ot-shape.cc, which is stack frame 5.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 792 of file hb-ot-shape.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Fonts

Comment 2 by bashi@chromium.org, Aug 2 2016

Cc: drott@chromium.org
Owner: behdad@chromium.org
Status: Assigned (was: Available)
behdad@, can you triage this?
Should be harmless.  Also tracked here:
https://github.com/behdad/harfbuzz/issues/189

Comment 4 by e...@chromium.org, Aug 2 2016

Labels: -Pri-1 Pri-2
Status: ExternalDependency (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Oct 11 2016

ClusterFuzz has detected this issue as fixed in range 424217:424275.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4567209162833920

Fuzzer: libfuzzer_harfbuzz_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  position_mark
  position_around_base
  position_cluster
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=424217:424275

Minimized Testcase (10.18 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rI7PWThfDmijLzi2MVOlV1auVRqqbv-r81Uq5eiNokLdVQ2YvrakFhbXTVhU_maDvrgas3z-PuLkMXTfhXQEGu6aaNQ9u1k4oTKRHVgc9sZZQy76D5q0Pt_y3Es-1MCwgBaHIRXMw4292oKfUuW6g2MWnMw?testcase_id=4567209162833920

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Oct 11 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: ExternalDependency)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by ajha@chromium.org, Oct 18 2016

Labels: ClusterFuzz-Wrong
Status: ExternalDependency (was: Verified)

Comment 9 by ajha@chromium.org, Oct 18 2016

Labels: -ClusterFuzz-Verified
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: WontFix (was: ExternalDependency)
Bulk-WontFixing these bugs. This was a bug on ClusterFuzz side, see bug 717534. We will start seeing new testcases auto-filed in a day or two. We can't leave these open as ClusterFuzz won't autoverify them after ClusterFuzz-Wrong label.
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment