New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 639794 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
mbarowsky+blinkimage@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::maxY

Project Member Reported by ClusterFuzz, Aug 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6285406146658304

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::maxY
  blink::parseOptions
  blink::ImageBitmap::ImageBitmap
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=371316:371341

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96c3gjrSxHh0Dh1qQb3fXZq6cEDplw5eIJvsw4_qwetQypCA1PrgH5hNxgYlrWMN89iQ8zFLEzO_1-M9a8Ooi3ONa47-3zP5cA4OnufTTooexFTlUT7_IRLMnJwVSUypAjzPF62BeY6S7Wu8A_fxhA3ouq6sg?testcase_id=6285406146658304
<script>
var bgcanvas = document.createElement('canvas');
var greenSquareURL = bgcanvas.toDataURL();
var img = new Image();
img.onload = imageLoaded;
img.src = greenSquareURL;
function imageLoaded() {
    createImageBitmap(img,  -50,  2147483632, 4065084245, 100);
}
</script>


Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Aug 22 2016

Components: Blink>Image Tools>Test>FindIt>CorrectResult
Labels: Te-Logged M-53
Owner: sunil.ra...@samsung.com
Status: Assigned (was: Untriaged)
Suspected CLs	
===============
No CL in the regression range changes the crashed files. The result is the blame information.

Author: hyatt@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/baa778dd02c9cf803a3760fb5d19015d133cc785
Time: Tue Feb 01 21:39:47 2011
The CL last changed line 77 of file IntRect.h, which is stack frame 0.

Author: sunil.ratnu@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/40a0e3e6e5beae8eee2432dabbe40632c9f437f5
Time: Mon Jun 16 06:33:21 2014
The CL last changed line 40 of file ImageBitmap.cpp, which is stack frame 1.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e41056398cca63a760554d3ae7a63857bca93214
Time: Tue Jul 26 15:34:09 2016
The CL last changed line 72 of file ImageBitmap.cpp, which is stack frame 2.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/96e0583198a59d305f8442704e35d7d307120cec
Time: Wed Jul 13 22:41:51 2016
The CL last changed line 291 of file ImageBitmap.cpp, which is stack frame 3.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/96e0583198a59d305f8442704e35d7d307120cec
Time: Wed Jul 13 22:41:51 2016
The CL last changed line 539 of file ImageBitmap.cpp, which is stack frame 4.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/96e0583198a59d305f8442704e35d7d307120cec
Time: Wed Jul 13 22:41:51 2016
The CL last changed line 698 of file HTMLImageElement.cpp, which is stack frame 5.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/96e0583198a59d305f8442704e35d7d307120cec
Time: Wed Jul 13 22:41:51 2016
The CL last changed line 690 of file HTMLImageElement.cpp, which is stack frame 6.
============================
Suspected Project: chromium

currently its impacting to the latest Stable (52.0.2743.116) & Beta (53.0.2785.70).

From the above blame list suspecting the changes made to file ImageBitmap.cpp, which is stack frame 1
Suspect : https://chromium.googlesource.com/chromium/src/+/40a0e3e6e5beae8eee2432dabbe40632c9f437f5
sunil.ratnu@ : Could you please take a look into this if its related to your change.

Comment 2 by infe...@chromium.org, Oct 11 2016

Labels: Pri-2
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by schenney@chromium.org, Nov 28 2016

Owner: ----
Status: WontFix (was: Assigned)
This is not a dangerous problem.

Sign in to add a comment