New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634803 link

Starred by 1 user
Status: WontFix
Owner:
skobes@chromium.org
Closed: Aug 2016
Cc:
timloh@chromium.org
meade@chromium.org
esprehn@chromium.org
bokan@chromium.org
ranjitkan@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in blink::cornerRect

Project Member Reported by ClusterFuzz, Aug 5 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4946647652237312

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::cornerRect
  blink::PaintLayerScrollableArea::resizerCornerRect
  blink::ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409418

Minimized Testcase (0.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Mze1BjdhujHYIdbeOrAHikvCdXhI8VW7yoHGcxRZcyrs3LR2TfX1Vij_6CHoVSQj5eI7HRmUlWyrNHDHlYsBaEBHRkx_ZWxnBuKvLeQZP2jyzdnNpXTDeaPY_-sLdAgY4GM4fRcKvbx7utSuX6L3AxA8mqg?testcase_id=4946647652237312

Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Aug 5 2016

Cc: ranjitkan@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: skobes@chromium.org
Status: Assigned (was: Untriaged)
Author: skobes
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d441f19b32826ec6c09874115169fa6c08b7ee11
Time: Wed Oct 14 18:21:58 2015
The CL last changed line 246 of file PaintLayerScrollableArea.cpp, which is stack frame 0.

Author: skobes
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d441f19b32826ec6c09874115169fa6c08b7ee11
Time: Wed Oct 14 18:21:58 2015
The CL last changed line 268 of file PaintLayerScrollableArea.cpp, which is stack frame 1.

Author: skobes
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d441f19b32826ec6c09874115169fa6c08b7ee11
Time: Wed Oct 14 18:21:58 2015
The CL last changed line 1211 of file PaintLayerScrollableArea.cpp, which is stack frame 2.

@skobes: Assigning to you, Request you to please take a look into it. Please help us to reassign if not with respect to your changes.

Thanks.!

Comment 2 by skobes@chromium.org, Aug 5 2016

Cc: esprehn@chromium.org
Status: WontFix (was: Assigned)
esprehn says we do not need to fix integer overflow bugs.

Comment 3 by esprehn@chromium.org, Aug 5 2016

Cc: meade@chromium.org timloh@chromium.org
Components: Blink>CSS
meade@ FYI: We might want to just clamp all of these crazy numbers inside the CSS parser instead so they never even get here.

ex. this test does:

* { animation-name: cfpulse99; transform: rotate3d(31, 13, 104, 9deg) scale(401097138271278291218014369784239731996273651907446632432050481860968837260646849527963905321140416504885948851035728884554668596377381844301691779646212276883999347210107904321400853234770400262630966685414177300637226084969485531323928171747339097329680466618459981653096907825383901203435465119229388903918693402127369724991051786999555709460879796564837102452367628787119790434501380107047836355838879441103978499945667529484302237233525892600799265138305038712034566566617672453247882237070896, 5); overflow-x: overlay;

which is crazy.

Comment 5 by skobes@chromium.org, Aug 8 2016 

In this case I believe the float is clamped to numeric_limits<int>::min() by LayoutObject::absoluteBoundingBoxRect().  Then PaintLayerScrollableArea tries to subtract the scrollbar thickness.

Comment 6 by bokan@chromium.org, Aug 11 2016

Cc: bokan@chromium.org
 Issue 635676  has been merged into this issue.

Comment 7 by bokan@chromium.org, Aug 22 2016 

 Issue 639804  has been merged into this issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment