New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634806 link

Starred by 1 user
Status: Verified
Owner:
schenney@chromium.org
Closed: May 2017
Cc:
ranjitkan@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in blink::operator-

Project Member Reported by ClusterFuzz, Aug 5 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5010401140146176

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=382185:382588

Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Of9n0HT2T0bJ10m4yn4D9b0e9FFHIghS9YO0jV4C_bFasG7uYm3Z61jF3EAPLP9ExniPec6_T8M1WOhU99BqLAMnRK7uAj0uqe5pWfm1KQdqV_YiC5GGQGaUBo-4z5tZDyn_-hgNwa7Qpb01QqpJqxCchkQ?testcase_id=5010401140146176

Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Aug 5 2016

Cc: ranjitkan@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: schenney@chromium.org
Status: Assigned (was: Untriaged)
Author: schenney
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e3ab046fcbe969bd1b38a0361f7d583998365c2c
Time: Mon Mar 21 16:02:40 2016
File BoxPainter.cpp is changed in this cl (and is part of stack frame #4, "blink::BoxPainter::paintNinePieceImage"; frame #5, "blink::BoxPainter::paintBorder"; frame #6, "blink::BoxPainter::paintBoxDecorationBackgroundWithRect")
Minimum distance from crash line to modified line: 28. (file: BoxPainter.cpp, crashed on: 128, modified: 156).

@schenney: Assigning to you, request you to please take a look into it. Please help us to reassign if not with respect to your change.
Project Member

Comment 2 by ClusterFuzz, Aug 6 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4837579524669440

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::NinePieceImageGrid::setDrawInfoCorner
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  blink::NinePieceImagePainter::paint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=382185:382588

Minimized Testcase (0.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96E3ExPIqpkyXEB3cQ_i5ZWFYFwxHV2YX4HbGTtfY2Ag9XtOZv8LB3jNPAxIvxOr_4V35rbnjtnvkehhgY8OcHElGc77cSF36EvQLKkWVUsGOrUBomhybXd44aX4uBlEn63G-QaHmaNam9f2TT23i7eB1Quaw?testcase_id=4837579524669440

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by ClusterFuzz, Sep 18 2016 

ClusterFuzz has detected this issue as fixed in range 419387:419391.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5010401140146176

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=382185:382588
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=419387:419391

Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Of9n0HT2T0bJ10m4yn4D9b0e9FFHIghS9YO0jV4C_bFasG7uYm3Z61jF3EAPLP9ExniPec6_T8M1WOhU99BqLAMnRK7uAj0uqe5pWfm1KQdqV_YiC5GGQGaUBo-4z5tZDyn_-hgNwa7Qpb01QqpJqxCchkQ?testcase_id=5010401140146176

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Sep 20 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5628405246853120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=372506:372545

Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95gnqCLzwa5IN2fzMoNH52riH888gzDB1K48uOstTEyOeWvSYgLdAfSkrSKyXfD18XxYRRl2qqjq5zJoQMw4W-jW3yuGUyOaXXvjgKxpiNsOB8u46tWepJNTHjpw9lXDIFysw70R-FHr1J6IZGG1h3sv8kGVw?testcase_id=5628405246853120

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by ClusterFuzz, Sep 27 2016 

ClusterFuzz has detected this issue as fixed in range 420262:420270.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5628405246853120

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=372506:372545
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=420262:420270

Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95gnqCLzwa5IN2fzMoNH52riH888gzDB1K48uOstTEyOeWvSYgLdAfSkrSKyXfD18XxYRRl2qqjq5zJoQMw4W-jW3yuGUyOaXXvjgKxpiNsOB8u46tWepJNTHjpw9lXDIFysw70R-FHr1J6IZGG1h3sv8kGVw?testcase_id=5628405246853120

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Sep 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4911198313381888

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409418

Minimized Testcase (0.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96yyw4IR6-oudHxJ3hcf8dhH0ji5MvvkGiyZgyHsHDFPYNkVmLwwadkKbjblWPsJqTFR7ej_tTMn2rC-Q6gX_2yHcuqPz76YDTk8laEisW5lWoh9o5otYOVZDog-ECdBo4lBZgZ90a_ReMT2IknJlF3r_ammA?testcase_id=4911198313381888

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 7 by mummare...@chromium.org, Sep 28 2016

Components: Blink>Paint
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 14 2016 

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4911198313381888

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator-
  blink::NinePieceImageGrid::setDrawInfoEdge
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409418
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96yyw4IR6-oudHxJ3hcf8dhH0ji5MvvkGiyZgyHsHDFPYNkVmLwwadkKbjblWPsJqTFR7ej_tTMn2rC-Q6gX_2yHcuqPz76YDTk8laEisW5lWoh9o5otYOVZDog-ECdBo4lBZgZ90a_ReMT2IknJlF3r_ammA?testcase_id=4911198313381888

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, May 11 2017 

ClusterFuzz has detected this issue as fixed in range 470545:470729.

Detailed report: https://clusterfuzz.com/testcase?key=4837579524669440

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::NinePieceImageGrid::setDrawInfoCorner
  blink::NinePieceImageGrid::getNinePieceDrawInfo
  blink::NinePieceImagePainter::paint
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=382185:382588
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=470545:470729

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4837579524669440


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by ClusterFuzz, May 11 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4837579524669440 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment