New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634134 link

Starred by 1 user
Status: Verified
Owner:
jbroman@chromium.org
Closed: Aug 2016
Cc:
danakj@chromium.org
reed@chromium.org
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in SkIRect::height

Project Member Reported by ClusterFuzz, Aug 3 2016

Comment 1 by mummare...@chromium.org, Aug 3 2016

Components: Tools>Test>FindIt>WrongResult Internals>Compositing
Labels: Te-Logged M-53
Owner: jbroman@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: reed@android.com
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/8a1c16ff38322f0210116fa7293eb8817c7e477e
Time: Wed Dec 17 15:59:43 2008
The CL last changed line 78 of file SkRect.h, which is stack frame 0.

Author: tfarina@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6c50bfb93535623550aeab906f2119610c28cb29
Time: Mon Nov 12 21:44:44 2012
The CL last changed line 50 of file skia_util.cc, which is stack frame 1.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ca9b612516efc2af1143c09a4d67f5b99e566c79
Time: Wed Jun 29 23:04:30 2016
The CL last changed line 364 of file filter_operation.cc, which is stack frame 2.

Author: senorblanco
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/60471d41ca8bf96b3a487c086ceefe2aca7d126a
Time: Fri May 13 22:04:20 2016
The CL last changed line 70 of file filter_operations.cc, which is stack frame 3.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/29dab8e7a907cd5db664581f0543d169f2650329
Time: Tue Apr 12 20:47:22 2016
The CL last changed line 72 of file filter_operations.cc, which is stack frame 5.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8eb5fb7cc39a640ed6b732262c41e3110c9093d2
Time: Wed Jun 01 18:44:16 2016
The CL last changed line 142 of file damage_tracker.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Internals>Compositing

Comment 2 by jbroman@chromium.org, Aug 3 2016

Cc: danakj@chromium.org reed@chromium.org
So there is a very large SkIRect, such that fBottom - fTop overflows (it's larger than std::numeric_limits<int>::max()). It's not obvious to me who should be handling this, if anyone.

Should SkIRect::height be doing something if the result is not representable, or is it gfx's responsibility to not call SkIRect::height in that case, or should someone else (i.e. cc's filter code) be checking for this this?

cc danakj for ui/gfx/, reed for skia; thoughts?
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 23 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a1704b2b984c977e47116e978db7465beaa8a65d

commit a1704b2b984c977e47116e978db7465beaa8a65d
Author: jbroman <jbroman@chromium.org>
Date: Tue Aug 23 17:22:00 2016

Use CheckedNumeric when converting SkIRect to gfx::Rect.

BUG= 634134 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review-Url: https://codereview.chromium.org/2231243002
Cr-Commit-Position: refs/heads/master@{#413769}

[modify] https://crrev.com/a1704b2b984c977e47116e978db7465beaa8a65d/cc/output/filter_operations_unittest.cc
[modify] https://crrev.com/a1704b2b984c977e47116e978db7465beaa8a65d/ui/gfx/skia_util.cc
[modify] https://crrev.com/a1704b2b984c977e47116e978db7465beaa8a65d/ui/gfx/skrect_conversion_unittest.cc
Project Member

Comment 5 by ClusterFuzz, Aug 24 2016 

ClusterFuzz has detected this issue as fixed in range 413737:413785.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459706661568512

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::height
  gfx::SkIRectToRect
  cc::MapRectInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413737:413785

Minimized Testcase (0.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97LeUrZj9bpIqdVQeIMfq8XbxSYqzZE0YeC0t7NObilz7NrF2pHhGQQ8KRIZF1sM3B5EwX3wmgtZzJr_coQ2pSpchHI0VwPP3i6PNN8Y18i1jlFPhAbWdv83Z2vy_drze22pxDlt2aoa6V7o0GQPXO21eCcsg?testcase_id=5459706661568512

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Aug 24 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment