New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634825 link

Starred by 1 user
Status: Verified
Owner:
behdad@chromium.org
Closed: Aug 2016
Cc:
ranjitkan@chromium.org
bashi@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in position_cluster

Project Member Reported by ClusterFuzz, Aug 5 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4531342836760576

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  position_cluster
  _hb_ot_shape_fallback_position
  hb_ot_shape_internal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv978-uAaiPxp4PZ2P3pxvAGABJLtrZ7MVuvRDl_tLdrPbNm5fqMXDoofVl_h3UXUmdDc6fZ48oyx3q-L2zLl_NaYdNCVId9pwRGHsLn3QgVTHY1XhKu1wAcOL4g4SjamHVkTMX4ArvUxom4zyur9G5PdXyhPHA?testcase_id=4531342836760576
<h2 id=tCF3>z:&#x1de4;X3FG=G%`&#xd086;<style>
.c17 { box-decoration-break: slice; font-size: 43234ex;</style><script>
tCF3.setAttribute("class", "c17");
</script>


Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Aug 5 2016

Cc: ranjitkan@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: bashi@chromium.org
Status: Assigned (was: Untriaged)
Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 281 of file hb-ot-shape-fallback.cc, which is stack frame 0.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 370 of file hb-ot-shape-fallback.cc, which is stack frame 1.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 409 of file hb-ot-shape-fallback.cc, which is stack frame 2.

Author: bashi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/55097d32fb9f0b18fe8fea1fcdb2a9c89f6698b9
Time: Tue Sep 11 01:34:56 2012
The CL last changed line 427 of file hb-ot-shape-fallback.cc, which is stack frame 3.

@bashi: Assigning to you, request you to please take a look into it. Please help us to reassign this issue to the right owner if not with respect to your changes.

Thanks.!

Comment 2 by bashi@chromium.org, Aug 7 2016

Cc: bashi@chromium.org
Owner: behdad@chromium.org
behdad@, could you take a look?
Project Member

Comment 3 by ClusterFuzz, Aug 25 2016 

ClusterFuzz has detected this issue as fixed in range 413791:414128.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4531342836760576

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  position_cluster
  _hb_ot_shape_fallback_position
  hb_ot_shape_internal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413791:414128

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv978-uAaiPxp4PZ2P3pxvAGABJLtrZ7MVuvRDl_tLdrPbNm5fqMXDoofVl_h3UXUmdDc6fZ48oyx3q-L2zLl_NaYdNCVId9pwRGHsLn3QgVTHY1XhKu1wAcOL4g4SjamHVkTMX4ArvUxom4zyur9G5PdXyhPHA?testcase_id=4531342836760576
<h2 id=tCF3>z:&#x1de4;X3FG=G%`&#xd086;<style>
.c17 { box-decoration-break: slice; font-size: 43234ex;</style><script>
tCF3.setAttribute("class", "c17");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Aug 25 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment