New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 641072 link

Starred by 1 user
Status: Verified
Owner:
reed@chromium.org
Email to this user bounced
Closed: Aug 2016
Cc:
caryclark@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in round_down_to_int

Project Member Reported by ClusterFuzz, Aug 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4982316525158400

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VhUtTOt9jlKzyYN2v3e1XwPKrPbomHuYrA_aNwdiuoybfPHQKl8oC-5XvW5cRuUUSf4dphIRth-LtjIVnUMwUSVAtyCLWMA5hkyyhVOtVFv3jU12xxLXX2JoD-vKvQsRFA8wUoVy3OD2R8dWQjvgVhfDKRw?testcase_id=4982316525158400

Issue manually filed by: mmohammad

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmohammad@chromium.org, Aug 25 2016

Cc: caryclark@chromium.org
Owner: reed@chromium.org
Status: Assigned (was: Untriaged)
reed @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance

Comment 2 by caryclark@chromium.org, Aug 25 2016 

The path that generates the error is:

  path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0

  path.quadTo(SkBits2Float(0xe6275627), SkBits2Float(0x5a29b329), SkBits2Float(0xc79f2aa2), SkBits2Float(0x2ab3272a));  // -1.97556e+23f, 1.19416e+16f, -81493.3f, 3.1824e-13f

round_down_to_int() computes:

  x=-1.97556e+23 
  xx=-1.97556e+23 
  floorXX=-1.97556e+23 
  (int)floorXX=80000000

usban complains that (int)floorXX can't have 1 subtracted from it.

This change silences the error:

  -    return (int)floorXX - (xx == floorXX);
  +    return (int) ((unsigned int)floorXX - (xx == floorXX));
Project Member

Comment 3 by ClusterFuzz, Aug 26 2016 

ClusterFuzz has detected this issue as fixed in range 414399:414444.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4982316525158400

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  round_down_to_int
  round_asymmetric_to_int
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414399:414444

Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VhUtTOt9jlKzyYN2v3e1XwPKrPbomHuYrA_aNwdiuoybfPHQKl8oC-5XvW5cRuUUSf4dphIRth-LtjIVnUMwUSVAtyCLWMA5hkyyhVOtVFv3jU12xxLXX2JoD-vKvQsRFA8wUoVy3OD2R8dWQjvgVhfDKRw?testcase_id=4982316525158400

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Aug 26 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment