Integer-overflow in gfx::Rect::bottom |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6221880426233856 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gfx::Rect::bottom gfx::Rect::Union cc::RenderSurfaceImpl::AccumulateContentRectFromContributingRenderSurface Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=372640:372649 Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965cwFrkB5Xxs42pFiMcNn8FR5FqhaOKs9cVvokE8NBfOrZ-x9PjCg1eIJHMuXTEtUIkJ2sb7NHG4xuMmWWx0vrq8AyatB3qLBF0tGE7an00tfrjQSrdpy9s8htAyTjXlSe3F2ukHNXKaEuxp5oGRAWR7LNsg?testcase_id=6221880426233856 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 15 2016
My change added "constexpr" to the function declaration. It didn't cause this bug. The stack trace suggests a compositor issue.
,
Aug 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5800904341323776 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gfx::Rect::bottom gfx::Rect::Intersect cc::draw_property_utils::ComputeVisibleRectsInternal Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=401416:401447 Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95cYbFV3l7BpX_TBmCnp3rfF3MQg3Cd6XTgcDYYGp7916kFer70qrduoXVLwDewNhKww0twDdq-XiGligh0FOkwjytec-I8SN0tWabMsNF1iVIln_VIj02s8VHM_fWxCqj-WAXDXAIrjE3KPo7bbFavKpygog?testcase_id=5800904341323776 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 18 2016
From findit tool: Author: sunxd Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/713aedbdd27d1bd0d431a02220748c740b471af9 Time: Wed Aug 10 22:22:14 2016 The CL last changed line 1105 of file draw_property_utils.cc, which is stack frame 6. sunxd@, could you please take a look and reassign if it is not your related changes
,
Aug 18 2016
It seems to be another example of possible overflow when computing intersections. Cc: Dana and Jeremy for the issue's been discussed in https://codereview.chromium.org/2231243002/.
,
Aug 22 2016
Jeremy may fix the bug globally, will land a temp fix if we decide not to land the system fix.
,
Aug 23 2016
The issue I'm fixing is the reverse; it's an issue when converting SkIRect to gfx::Rect where where we fail to do right. I probably won't fix every case where a gfx::Rect could get out of the range where width/height/right/bottom all remain valid. It will help only if this case is coming from SkIRectToRect.
,
Aug 23 2016
OK, so I'll try landing a fix that's specific to this case.
,
Sep 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/86fc67cca4eaad94ec7bf3daebf905939abdd03c commit 86fc67cca4eaad94ec7bf3daebf905939abdd03c Author: sunxd <sunxd@chromium.org> Date: Thu Sep 01 23:28:07 2016 Adjust gfx::Rect's width and height to avoid integer overflow It is possible that the origin plus the bounds of a gfx::Rect can exceed the range of an integer, as reflected in clusterfuzz. This CL makes gfx::Rect adjust the width and height if origin + bounds can result in an overflow. BUG= 637985 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel Review-Url: https://codereview.chromium.org/2268423003 Cr-Commit-Position: refs/heads/master@{#416118} [modify] https://crrev.com/86fc67cca4eaad94ec7bf3daebf905939abdd03c/ui/gfx/geometry/rect.cc [modify] https://crrev.com/86fc67cca4eaad94ec7bf3daebf905939abdd03c/ui/gfx/geometry/rect.h [modify] https://crrev.com/86fc67cca4eaad94ec7bf3daebf905939abdd03c/ui/gfx/geometry/rect_unittest.cc
,
Sep 1 2016
Issue 643443 has been merged into this issue.
,
Sep 2 2016
,
Sep 2 2016
We now modify the height/width to prevent overflow when adding it to y/x.
,
Sep 3 2016
ClusterFuzz has detected this issue as fixed in range 415934:416233. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6221880426233856 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gfx::Rect::bottom gfx::Rect::Union cc::RenderSurfaceImpl::AccumulateContentRectFromContributingRenderSurface Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=372640:372649 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=415934:416233 Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv965cwFrkB5Xxs42pFiMcNn8FR5FqhaOKs9cVvokE8NBfOrZ-x9PjCg1eIJHMuXTEtUIkJ2sb7NHG4xuMmWWx0vrq8AyatB3qLBF0tGE7an00tfrjQSrdpy9s8htAyTjXlSe3F2ukHNXKaEuxp5oGRAWR7LNsg?testcase_id=6221880426233856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Aug 15 2016Owner: pkasting@chromium.org
Status: Assigned (was: Untriaged)