New issue
Advanced search Search tips

Issue 635863 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in unsigned int agg::clip_liang_barsky<int>

Project Member Reported by ClusterFuzz, Aug 9 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302357333999616

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  unsigned int agg::clip_liang_barsky<int>
  agg::rasterizer_scanline_aa::clip_segment
  agg::rasterizer_scanline_aa::close_polygon
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=394980:395008

Minimized Testcase (195.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95k_C_1w-wo1doq7SOvm8my3vuTnbTkNXIlqarVTLamK9zC9iZgQhgRDwprOCHmAg3ARVpU1N3G5NeCHfs2isppG143IfLgg5t0b5o3p1YtXXtsDAqCu8a2DJRl8ifdyaoFUyTF1HdrVTlXutx-g_irrfQReEPfRuxAp47782hdI12dCVY?testcase_id=6302357333999616

Issue manually filed by: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org jam@chromium.org
Components: Tools>Test>FindIt>WrongResult
Labels: findit-wrong Te-Logged M-53
Owner: brucedaw...@chromium.org
Status: Assigned (was: Untriaged)
providing Findit results for internal purpose:
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: John Abd-El-Malek
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/5110c4743751145c4ae1934cd1d83bc6c55bb43f
Time: Sat May 17 22:33:34 2014 -0700
The CL last changed line 40 of file agg_clip_liang_barsky.h, which is stack frame 0.

Author: John Abd-El-Malek
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/5110c4743751145c4ae1934cd1d83bc6c55bb43f
Time: Sat May 17 22:33:34 2014 -0700
The CL last changed line 441 of file agg_rasterizer_scanline_aa.h, which is stack frame 1.

Author: John Abd-El-Malek
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/5110c4743751145c4ae1934cd1d83bc6c55bb43f
Time: Sat May 17 22:33:34 2014 -0700
The CL last changed line 277 of file agg_rasterizer_scanline_aa.h, which is stack frame 2.

Author: John Abd-El-Malek
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/5110c4743751145c4ae1934cd1d83bc6c55bb43f
Time: Sat May 17 22:33:34 2014 -0700
The CL last changed line 307 of file agg_rasterizer_scanline_aa.h, which is stack frame 3.

Author: John Abd-El-Malek
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/5110c4743751145c4ae1934cd1d83bc6c55bb43f
Time: Sat May 17 22:33:34 2014 -0700
The CL last changed line 24 of file agg_render_scanlines.h, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1445 of file fx_agg_driver.cpp, which is stack frame 5.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1474 of file fx_agg_driver.cpp, which is stack frame 6.

Suspected Project: chromium-pdfium

assigning to https://cs.chromium.org/chromium/src/third_party/pdfium/OWNERS
brucedawson@ / jam@ - Could you please check the above issue & help us in finding an owner it its not yours.

Project Member

Comment 2 by ClusterFuzz, Aug 11 2016

ClusterFuzz has detected this issue as fixed in range 410916:411073.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302357333999616

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  unsigned int agg::clip_liang_barsky<int>
  agg::rasterizer_scanline_aa::clip_segment
  agg::rasterizer_scanline_aa::close_polygon
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=394980:395008
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410916:411073

Minimized Testcase (195.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95k_C_1w-wo1doq7SOvm8my3vuTnbTkNXIlqarVTLamK9zC9iZgQhgRDwprOCHmAg3ARVpU1N3G5NeCHfs2isppG143IfLgg5t0b5o3p1YtXXtsDAqCu8a2DJRl8ifdyaoFUyTF1HdrVTlXutx-g_irrfQReEPfRuxAp47782hdI12dCVY?testcase_id=6302357333999616

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Aug 11 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment