New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634255 link

Starred by 1 user
Status: Verified
Owner:
reed@chromium.org
Email to this user bounced
Closed: Jan 2018
Cc:
ranjitkan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in SkIRect::makeOutset

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5866580187807744

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::makeOutset
  SkMorphologyImageFilter::onFilterNodeBounds
  SkImageFilter::filterBounds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (6.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96n-gE3S8L3yPDdJL4XgUuBQceb1NM-m9cF1WJoPZZz1W6yWa3eQ75Imh2F-51CHKyNrUVrUAQ4fEb4uMHR367LUuiqrgLupyGQ05AENbJfqi5kkquKe3feUNrYTtSyXz_9IfAfDJjN9PXK6AumhNmdT20zrw?testcase_id=5866580187807744

Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Aug 4 2016

Cc: ranjitkan@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: M-54 Findit-for-crash Te-Logged
Owner: reed@chromium.org
Status: Assigned (was: Untriaged)
Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/11fa2247b747eb75e2f158dc7571d458ed6c0115
Time: Fri Mar 13 13:08:28 2015
The CL last changed line 180 of file SkRect.h, which is stack frame 0.

@reed: Request you to please take a look into it. Please help us to reassign if not with respect to your chnage.
Project Member

Comment 2 by ClusterFuzz, Aug 5 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5575618467201024

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::inset
  SkDropShadowImageFilter::onFilterNodeBounds
  SkImageFilter::filterBounds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.54 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv959O1eQx1PtM1IXLzEtbJP9IoDgz-FZFzGs1wMQGCA2j6CKGd99zZN6EWvwuOpPHHgt2p6u04t7oudvMM0IGhEMks3go-AjRdcDPdpQwWW1l0o2JCdgExjfdmt2d3dxt_PAw3n5UuKazEz1Bd0q0TPTaKEKhw?testcase_id=5575618467201024
<canvas id=canvas-for-image height=200</canvas>
<canvas id=source-canvas height=100</canvas>
<script>
  var source_canvas = document.getElementById('source-canvas');
  var canvas_image = document.getElementById("canvas-for-image");
  var ctx_image = canvas_image.getContext("2d");
  setupContext(ctx_image);
  ctx_image.drawImage(source_canvas, 65535, 65442, 100, 100);
  function setupContext(ctx) {
    ctx.globalCompositeOperation = 'source-in';
    ctx.shadowColor = 'blue';
    ctx.shadowBlur = 10;
    ctx.shadowOffsetX = 2265370976;
  }
</script>


Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by infe...@chromium.org, Oct 11 2016

Labels: Pri-2
Project Member

Comment 4 by ClusterFuzz, Oct 12 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4746042174341120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::inset
  outset
  SkDropShadowImageFilter::onFilterNodeBounds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.60 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97J9SGziPzdWMru9m6peFHFpgAtkut-u0P4pbDlg8wimLpkwTD4eALDSIhgCpUB3M5t1Rp6eeFL2d9uCnu0Rd7OJoI_mHMrykMzXtnDaObIYKLJHl4scNM_WwAYfeKA8acDQUEAi5tDUQ8QD8n1JDlf6ssgJQ?testcase_id=4746042174341120
<canvas id=canvas-for-color><canvas id=canvas-for-image>
<canvas id=source-canvas height=100</canvas>
<script>
  var source_canvas = document.getElementById('source-canvas');
  var canvas_image = document.getElementById("canvas-for-image");
  var ctx_image = canvas_image.getContext("2d");
  setupContext(ctx_image);
  ctx_image.drawImage(source_canvas, 100, -18446744073709551398, 4294967295, -18446744073709551448);
  function setupContext(ctx) {
    ctx.globalCompositeOperation = 'source-in';
    ctx.shadowColor = 'blue';
    ctx.shadowBlur = 10;
    ctx.shadowOffsetY = 18446744073709551440;
  }
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Dec 14 2016 

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4746042174341120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::inset
  outset
  SkDropShadowImageFilter::onFilterNodeBounds
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.60 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97J9SGziPzdWMru9m6peFHFpgAtkut-u0P4pbDlg8wimLpkwTD4eALDSIhgCpUB3M5t1Rp6eeFL2d9uCnu0Rd7OJoI_mHMrykMzXtnDaObIYKLJHl4scNM_WwAYfeKA8acDQUEAi5tDUQ8QD8n1JDlf6ssgJQ?testcase_id=4746042174341120
<canvas id=canvas-for-color><canvas id=canvas-for-image>
<canvas id=source-canvas height=100</canvas>
<script>
  var source_canvas = document.getElementById('source-canvas');
  var canvas_image = document.getElementById("canvas-for-image");
  var ctx_image = canvas_image.getContext("2d");
  setupContext(ctx_image);
  ctx_image.drawImage(source_canvas, 100, -18446744073709551398, 4294967295, -18446744073709551448);
  function setupContext(ctx) {
    ctx.globalCompositeOperation = 'source-in';
    ctx.shadowColor = 'blue';
    ctx.shadowBlur = 10;
    ctx.shadowOffsetY = 18446744073709551440;
  }
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jan 19 2018

Components: Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 8 by ClusterFuzz, Jan 31 2018 

ClusterFuzz has detected this issue as fixed in range 533136:533139.

Detailed report: https://clusterfuzz.com/testcase?key=5866580187807744

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::makeOutset
  SkMorphologyImageFilter::onFilterNodeBounds
  SkImageFilter::filterBounds
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=533136:533139

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5866580187807744

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jan 31 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5866580187807744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment