Issue metadata
Sign in to add a comment
|
Integer-overflow in hb_ot_map_builder_t::compile |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5864272448192512 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: hb_ot_map_builder_t::compile hb_ot_shape_planner_t::compile _hb_ot_shaper_shape_plan_data_create Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96EzlzjdZSh_ar1GQisrJK1W6hAWAzEtVtg36Mb8iwpqLEYpSgRitGOs-FVL3Iz0rxCw9pIFxv9ESVlr2wwVHWDoJ0bED267sBrLko3_xAy4TNbWXyYv6gYX2IDmScSbXhRXm_cNs00XhnwQG67q2X4buGJvg?testcase_id=5864272448192512 <table> <td id=tCF11>Ʌ</td> <span id=tCF18><style> .c15 { margin-bottom: inherit;0.084900); font-feature-settings: "liga" 700976189;</style><script> tCF18.setAttribute("class", "c15"); tCF18.appendChild(tCF11); </script> Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 8 2016
Behdad, can you take a look? Thanks
,
Aug 9 2016
Should be fixed. Thanks. https://github.com/behdad/harfbuzz/commit/333173103bb618f721bd25d0c565a3c3c9ea224e
,
Aug 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/99cff15b0cd7c32a1dae45e0b073394abfb03431 commit 99cff15b0cd7c32a1dae45e0b073394abfb03431 Author: Jungshik Shin <jshin@chromium.org> Date: Wed Aug 17 08:33:21 2016 Update harfbuzz to 1.3.0 + 3 patches Chromium on other platforms have harfbuzz 1.3.0. On top of 1.3.0, apply the following patches: 1. interger overflow fix 2. BCP 47 language tag to Opentype language mapping fix for zh-MO(-Hant) and zh-HK-Hant. BUG= chromium:634805 TEST=emerge-{x86-alex,amd64-generic,daisy} harfbuzz succeeds. TEST=cbuildbot chromiumos-sdk TEST=cbuildbot amd64-generic-full x86-generic-full arm-generic-full Change-Id: I20e95b1166c427566f88521b48af9e4d96395d9a Reviewed-on: https://chromium-review.googlesource.com/371591 Commit-Ready: Jungshik Shin <jshin@chromium.org> Tested-by: Jungshik Shin <jshin@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/Manifest [add] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/files/harfbuzz-1.3.0-lang2ottag.patch [rename] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/harfbuzz-1.3.0.ebuild [add] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/files/harfbuzz-1.3.0-lang2ottag2.patch [add] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/files/harfbuzz-1.3.0-int-overflow.patch [delete] https://crrev.com/68e1fe4355d4ffc26a1c279df430425c25391685/media-libs/harfbuzz/harfbuzz-1.2.6-r1.ebuild [add] https://crrev.com/99cff15b0cd7c32a1dae45e0b073394abfb03431/media-libs/harfbuzz/harfbuzz-1.3.0-r1.ebuild
,
Sep 9 2016
ClusterFuzz has detected this issue as fixed in range 417287:417309. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5864272448192512 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: hb_ot_map_builder_t::compile hb_ot_shape_planner_t::compile _hb_ot_shaper_shape_plan_data_create Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=417287:417309 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96EzlzjdZSh_ar1GQisrJK1W6hAWAzEtVtg36Mb8iwpqLEYpSgRitGOs-FVL3Iz0rxCw9pIFxv9ESVlr2wwVHWDoJ0bED267sBrLko3_xAy4TNbWXyYv6gYX2IDmScSbXhRXm_cNs00XhnwQG67q2X4buGJvg?testcase_id=5864272448192512 <table> <td id=tCF11>Ʌ</td> <span id=tCF18><style> .c15 { margin-bottom: inherit;0.084900); font-feature-settings: "liga" 700976189;</style><script> tCF18.setAttribute("class", "c15"); tCF18.appendChild(tCF11); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 9 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 9 2016
jshin@, I am curious, what are these BCP47 mapping fixes? Are you planning to merge those upstream? Do we need them in Blink?
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Aug 5 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)