New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 635474 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Email to this user bounced
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in SkIRect::width

Project Member Reported by ClusterFuzz, Aug 8 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6221690935967744

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::width
  SkImageFilter::applyCropRect
  SkMorphologyImageFilter::onFilterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400445:400830

Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965r1SWSzUig6s6rQ7FJBVMioEYqUQruZbu7kEPXMuXRPS0QTfCXrtcz85xEHmZaD00vFkriZ0VEOtkjkx3y2nbWNWD2GiQMndaJoxoWNrBB4w_AtMTVXeBjITFfH-3NwsPtl0ipqhorI8ixaLqlBxVvCZBRQ?testcase_id=6221690935967744

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Aug 8 2016

Cc: robertphillips@chromium.org ajha@chromium.org
Components: Internals>Skia
Labels: Findit-for-crash Te-Logged M-53
Owner: reed@chromium.org
Status: Assigned (was: Untriaged)
Findit result:
==============
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: reed@android.com
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/8a1c16ff38322f0210116fa7293eb8817c7e477e
Time: Wed Dec 17 15:59:43 2008
The CL last changed line 72 of file SkRect.h, which is stack frame 0.

Author: robertphillips
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/37bd7c3aca66697fff2db79c21771a0b3cbe3b4c
Time: Thu Mar 17 21:31:39 2016
The CL last changed line 380 of file SkImageFilter.cpp, which is stack frame 1.

Author: robertphillips
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/f299e7105435829c47e94f4cf6e408cad675bc77
Time: Fri Mar 25 11:49:22 2016
The CL last changed line 542 of file SkMorphologyImageFilter.cpp, which is stack frame 2.

Author: robertphillips
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/2302de920e5434809bd0e85b871a6e002856dfdb
Time: Thu Mar 24 14:26:32 2016
The CL last changed line 212 of file SkImageFilter.cpp, which is stack frame 3.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/e51c356ae4e074b9c286c50a4efce11205f7463c
Time: Tue Jul 19 21:33:20 2016
The CL last changed line 397 of file SkBitmapDevice.cpp, which is stack frame 4.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/a2217ef965e57fdbbf989989e7ec1f2c04f62d39
Time: Wed Jul 20 13:04:34 2016
The CL last changed line 1444 of file SkCanvas.cpp, which is stack frame 5.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/7503d60847c4ad22df87458aecd917772b23d293
Time: Fri Jul 15 21:23:29 2016
The CL last changed line 1325 of file SkCanvas.cpp, which is stack frame 6.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia

reed@: Could you please take a look and confirm if this could be related to one of the recent changes from https://codereview.chromium.org/2155063002. Please help in assigning to appropriate Dev if your change is unrelated.

Thank you!
Project Member

Comment 2 by ClusterFuzz, Sep 6 2016

ClusterFuzz has detected this issue as fixed in range 416534:416539.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6221690935967744

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::width
  SkImageFilter::applyCropRect
  SkMorphologyImageFilter::onFilterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400445:400830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=416534:416539

Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965r1SWSzUig6s6rQ7FJBVMioEYqUQruZbu7kEPXMuXRPS0QTfCXrtcz85xEHmZaD00vFkriZ0VEOtkjkx3y2nbWNWD2GiQMndaJoxoWNrBB4w_AtMTVXeBjITFfH-3NwsPtl0ipqhorI8ixaLqlBxVvCZBRQ?testcase_id=6221690935967744

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Sep 6 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment