New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634137 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 634491
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in cc::PictureLayerImpl::UpdateViewportRectForTilePriorityInContentSpace

Project Member Reported by ClusterFuzz, Aug 3 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4729208758861824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cc::PictureLayerImpl::UpdateViewportRectForTilePriorityInContentSpace
  cc::PictureLayerImpl::UpdateTiles
  cc::LayerTreeImpl::UpdateDrawProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DDKdUwhupmGkQQz3F2RO43yOWOOro7CAAaQ2niG4MhNYXGpQ1gMgjotr7jXQfhAgu_QrQMrdPqkGwI3SrEHSkXenir0Kpa2s7jjoMqq33KzjU2BCIYd6ziQ7MdxMc5wC6PkQus8MVpYsp24UV_tuX9fLZ8g?testcase_id=4729208758861824

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Tools>Test>FindIt>WrongResult Internals>Compositing
Labels: Te-Logged M-53
Owner: boliu@chromium.org
Status: Assigned (was: Untriaged)
From findit tool:

	No CL in the regression range changes the crashed files. The result is the blame information.

Author: vmpstr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/65d8098f4449c3a556b8ca588a2ab0ec6c702eff
Time: Mon Jun 15 23:20:13 2015
The CL last changed line 516 of file picture_layer_impl.cc, which is stack frame 0.

Author: hush
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9178c77a0167ee7c73364b21a6f3a633029b7a44
Time: Thu Jan 22 01:57:39 2015
The CL last changed line 455 of file picture_layer_impl.cc, which is stack frame 1.

Author: boliu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/99b904adcfc2d25f5a06bcf1e122387ef2c21d7d
Time: Tue Jan 26 22:18:01 2016
The CL last changed line 1081 of file layer_tree_impl.cc, which is stack frame 2.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/68803fc894381e4820eb48725cfdefe6f788b521
Time: Fri Jun 19 20:55:53 2015
The CL last changed line 366 of file layer_tree_host_impl.cc, which is stack frame 3.

Author: khushalsagar
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0a226af5cb4c5ca5b3bac3e3d857601cc356dc33
Time: Wed Dec 09 10:30:20 2015
The CL last changed line 561 of file proxy_impl.cc, which is stack frame 4.

Author: enne@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a8335ac0b154ec9e6509bbed2ca6991352bac91a
Time: Sat Mar 16 09:15:12 2013
The CL last changed line 676 of file scheduler.cc, which is stack frame 5.

Author: enne@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a8335ac0b154ec9e6509bbed2ca6991352bac91a
Time: Sat Mar 16 09:15:12 2013
The CL last changed line 177 of file scheduler.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Internals>Compositing

Comment 2 by boliu@chromium.org, Aug 4 2016

Mergedinto: 634491
Status: Duplicate (was: Assigned)
Project Member

Comment 3 by ClusterFuzz, Aug 17 2016

ClusterFuzz has detected this issue as fixed in range 411957:412168.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4729208758861824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cc::PictureLayerImpl::UpdateViewportRectForTilePriorityInContentSpace
  cc::PictureLayerImpl::UpdateTiles
  cc::LayerTreeImpl::UpdateDrawProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411957:412168

Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DDKdUwhupmGkQQz3F2RO43yOWOOro7CAAaQ2niG4MhNYXGpQ1gMgjotr7jXQfhAgu_QrQMrdPqkGwI3SrEHSkXenir0Kpa2s7jjoMqq33KzjU2BCIYd6ziQ7MdxMc5wC6PkQus8MVpYsp24UV_tuX9fLZ8g?testcase_id=4729208758861824

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment