Issue metadata
Sign in to add a comment
|
Integer-overflow in blink::LayoutFrameSet::layOutAxis |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4732986526531584 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::LayoutFrameSet::layOutAxis blink::LayoutFrameSet::layout blink::LayoutFrameSet::positionFrames Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=377688:377898 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv953u_XhU0BLoU9kh0vzhJ4sra7G1sDpaQsWrDK0e3-OWIuVPW-uM9P28AUAwtiqF64vfBkTljYZ6LzP9GSCSjRxLwp5RPNdo-KuIWab_mZCc8ZobT8jJX5S6S2qkY36U932mByd7GTXjXYfN0lLdqpqOjpugg?testcase_id=4732986526531584 <iframe id=tCF2> <frameset> <frameset cols="50,50"> </iframe> <script> iframes = [].slice.call(document.querySelectorAll('iframe')); iframes.forEach(function(iframe) { iframe.contentDocument.write(iframe.textContent); }); </script> <style> .c7 { font-stretch: 83%; min-width: 299585320mm;</style><script> tCF2.contentDocument.documentElement.style.zoom = 24; tCF2.setAttribute("class", "c7"); </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 16 2016
,
Aug 17 2016
Not caused by my CL. This bug has probably existed since day one. The frame support code still uses int instead of LayoutUnit, and there are int multiplications all over the place.
,
Aug 18 2016
Author: darin Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/3a60539158ebf574faf764404a2189acbd1d537d Time: Wed Dec 20 01:49:03 2006 The CL last changed line 222 of file LayoutFrameSet.cpp, which is stack frame 0. @darin: Could you please look into this issue. Thank you.
,
Aug 18 2016
Wrong Darin. That is also a change log entry from 2006! Over to eae@ for triage.
,
Aug 22 2016
clusterfuzz isn't considering this a security issue and it's not affecting any real world website, lowering priority. We should probably switch intpoint/size/rect to use saturation arithmetic just as we do for layout.
,
Aug 22 2016
Issue 635446 has been merged into this issue.
,
Aug 23 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 2 2017
ClusterFuzz has detected this issue as fixed in range 483913:483914. Detailed report: https://clusterfuzz.com/testcase?key=4732986526531584 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::LayoutFrameSet::layOutAxis blink::LayoutFrameSet::layout blink::LayoutFrameSet::positionFrames Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=377688:377898 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=483913:483914 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4732986526531584 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Aug 16 2016Owner: msten...@opera.com
Status: Assigned (was: Untriaged)