Integer-overflow in GrSurface::WorseCaseSize |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6189197880983552 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: GrSurface::WorseCaseSize GrTextureProvider::refScratchTexture GrContext::makeDrawContext Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570 Minimized Testcase (2.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kDAZE4vDfEocI0uLyG6zU7kCBONB5MZDnRbo0ZypnB5WdUQ9FzmWh-nulXs67CkWlHzj4TAp_HsUBlm_gC8pFBhXqn7dJTJymbngxru4V-MspWMmYKaeOSeT3lElzPkYSPtirqCujSDXXL0FAm9U8VccXDA?testcase_id=6189197880983552 Issue manually filed by: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 17 2016
,
Aug 17 2016
The following revision refers to this bug: https://skia.googlesource.com/skia.git/+/4c56b9fa714d1bee54666adf7e5e1db5fb398dc7 commit 4c56b9fa714d1bee54666adf7e5e1db5fb398dc7 Author: robertphillips <robertphillips@google.com> Date: Wed Aug 17 15:02:51 2016 Cast for fuzzer complaint Given the cast in the following else block, this isn't the first time we've encountered this. BUG= 637187 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2258463002 Review-Url: https://codereview.chromium.org/2258463002 [modify] https://crrev.com/4c56b9fa714d1bee54666adf7e5e1db5fb398dc7/src/gpu/GrSurface.cpp
,
Aug 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/97557689e0afded20df656c083eb2cb6f5ce6e5c commit 97557689e0afded20df656c083eb2cb6f5ce6e5c Author: skia-deps-roller <skia-deps-roller@chromium.org> Date: Wed Aug 17 16:40:36 2016 Roll src/third_party/skia/ ff863bc55..d24ee1419 (5 commits). https://chromium.googlesource.com/skia.git/+log/ff863bc550a8..d24ee1419f17 $ git log ff863bc55..d24ee1419 --date=short --no-merges --format='%ad %ae %s' 2016-08-17 fmalita [SVGDom] Add <line> support 2016-08-17 robertphillips Cast for fuzzer complaint 2016-08-17 jvanverth Add alternative ambient shadow method to Android shadow sample 2016-08-17 halcanary SkPDF: pull out SkPDFMakeCIDGlyphWidthsArray.cpp 2016-08-17 rmistry Add gerrit config lines to cq.cfg BUG= 637187 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel TBR=robertphillips@google.com Review-Url: https://codereview.chromium.org/2253933002 Cr-Commit-Position: refs/heads/master@{#412558} [modify] https://crrev.com/97557689e0afded20df656c083eb2cb6f5ce6e5c/DEPS
,
Aug 18 2016
ClusterFuzz has detected this issue as fixed in range 412507:412570. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6189197880983552 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: GrSurface::WorseCaseSize GrTextureProvider::refScratchTexture GrContext::makeDrawContext Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=412507:412570 Minimized Testcase (2.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kDAZE4vDfEocI0uLyG6zU7kCBONB5MZDnRbo0ZypnB5WdUQ9FzmWh-nulXs67CkWlHzj4TAp_HsUBlm_gC8pFBhXqn7dJTJymbngxru4V-MspWMmYKaeOSeT3lElzPkYSPtirqCujSDXXL0FAm9U8VccXDA?testcase_id=6189197880983552 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 18 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ajha@chromium.org
, Aug 12 2016Components: Internals>GPU>Rasterization
Labels: Findit-for-crash Te-Logged M-53
Owner: robertphillips@chromium.org
Status: Assigned (was: Untriaged)