Integer-overflow in SkIRect::makeOutset |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5866580187807744 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::makeOutset SkMorphologyImageFilter::onFilterNodeBounds SkImageFilter::filterBounds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (6.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96n-gE3S8L3yPDdJL4XgUuBQceb1NM-m9cF1WJoPZZz1W6yWa3eQ75Imh2F-51CHKyNrUVrUAQ4fEb4uMHR367LUuiqrgLupyGQ05AENbJfqi5kkquKe3feUNrYTtSyXz_9IfAfDJjN9PXK6AumhNmdT20zrw?testcase_id=5866580187807744 Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5575618467201024 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::inset SkDropShadowImageFilter::onFilterNodeBounds SkImageFilter::filterBounds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.54 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv959O1eQx1PtM1IXLzEtbJP9IoDgz-FZFzGs1wMQGCA2j6CKGd99zZN6EWvwuOpPHHgt2p6u04t7oudvMM0IGhEMks3go-AjRdcDPdpQwWW1l0o2JCdgExjfdmt2d3dxt_PAw3n5UuKazEz1Bd0q0TPTaKEKhw?testcase_id=5575618467201024 <canvas id=canvas-for-image height=200</canvas> <canvas id=source-canvas height=100</canvas> <script> var source_canvas = document.getElementById('source-canvas'); var canvas_image = document.getElementById("canvas-for-image"); var ctx_image = canvas_image.getContext("2d"); setupContext(ctx_image); ctx_image.drawImage(source_canvas, 65535, 65442, 100, 100); function setupContext(ctx) { ctx.globalCompositeOperation = 'source-in'; ctx.shadowColor = 'blue'; ctx.shadowBlur = 10; ctx.shadowOffsetX = 2265370976; } </script> Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
,
Oct 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4746042174341120 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::inset outset SkDropShadowImageFilter::onFilterNodeBounds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.60 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97J9SGziPzdWMru9m6peFHFpgAtkut-u0P4pbDlg8wimLpkwTD4eALDSIhgCpUB3M5t1Rp6eeFL2d9uCnu0Rd7OJoI_mHMrykMzXtnDaObIYKLJHl4scNM_WwAYfeKA8acDQUEAi5tDUQ8QD8n1JDlf6ssgJQ?testcase_id=4746042174341120 <canvas id=canvas-for-color><canvas id=canvas-for-image> <canvas id=source-canvas height=100</canvas> <script> var source_canvas = document.getElementById('source-canvas'); var canvas_image = document.getElementById("canvas-for-image"); var ctx_image = canvas_image.getContext("2d"); setupContext(ctx_image); ctx_image.drawImage(source_canvas, 100, -18446744073709551398, 4294967295, -18446744073709551448); function setupContext(ctx) { ctx.globalCompositeOperation = 'source-in'; ctx.shadowColor = 'blue'; ctx.shadowBlur = 10; ctx.shadowOffsetY = 18446744073709551440; } </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14 2016
ClusterFuzz has detected this issue as fixed in range 435261:438085. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4746042174341120 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::inset outset SkDropShadowImageFilter::onFilterNodeBounds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.60 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97J9SGziPzdWMru9m6peFHFpgAtkut-u0P4pbDlg8wimLpkwTD4eALDSIhgCpUB3M5t1Rp6eeFL2d9uCnu0Rd7OJoI_mHMrykMzXtnDaObIYKLJHl4scNM_WwAYfeKA8acDQUEAi5tDUQ8QD8n1JDlf6ssgJQ?testcase_id=4746042174341120 <canvas id=canvas-for-color><canvas id=canvas-for-image> <canvas id=source-canvas height=100</canvas> <script> var source_canvas = document.getElementById('source-canvas'); var canvas_image = document.getElementById("canvas-for-image"); var ctx_image = canvas_image.getContext("2d"); setupContext(ctx_image); ctx_image.drawImage(source_canvas, 100, -18446744073709551398, 4294967295, -18446744073709551448); function setupContext(ctx) { ctx.globalCompositeOperation = 'source-in'; ctx.shadowColor = 'blue'; ctx.shadowBlur = 10; ctx.shadowOffsetY = 18446744073709551440; } </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jan 31 2018
ClusterFuzz has detected this issue as fixed in range 533136:533139. Detailed report: https://clusterfuzz.com/testcase?key=5866580187807744 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkIRect::makeOutset SkMorphologyImageFilter::onFilterNodeBounds SkImageFilter::filterBounds Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=533136:533139 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5866580187807744 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 31 2018
ClusterFuzz testcase 5866580187807744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ranjitkan@chromium.org
, Aug 4 2016Components: Tools>Test>FindIt>CorrectResult
Labels: M-54 Findit-for-crash Te-Logged
Owner: reed@chromium.org
Status: Assigned (was: Untriaged)