Integer-overflow in round_down_to_int |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4982316525158400 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: round_down_to_int round_asymmetric_to_int SkScan::FillPath Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VhUtTOt9jlKzyYN2v3e1XwPKrPbomHuYrA_aNwdiuoybfPHQKl8oC-5XvW5cRuUUSf4dphIRth-LtjIVnUMwUSVAtyCLWMA5hkyyhVOtVFv3jU12xxLXX2JoD-vKvQsRFA8wUoVy3OD2R8dWQjvgVhfDKRw?testcase_id=4982316525158400 Issue manually filed by: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 25 2016
The path that generates the error is: path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000)); // 0, 0 path.quadTo(SkBits2Float(0xe6275627), SkBits2Float(0x5a29b329), SkBits2Float(0xc79f2aa2), SkBits2Float(0x2ab3272a)); // -1.97556e+23f, 1.19416e+16f, -81493.3f, 3.1824e-13f round_down_to_int() computes: x=-1.97556e+23 xx=-1.97556e+23 floorXX=-1.97556e+23 (int)floorXX=80000000 usban complains that (int)floorXX can't have 1 subtracted from it. This change silences the error: - return (int)floorXX - (xx == floorXX); + return (int) ((unsigned int)floorXX - (xx == floorXX));
,
Aug 26 2016
ClusterFuzz has detected this issue as fixed in range 414399:414444. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4982316525158400 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: round_down_to_int round_asymmetric_to_int SkScan::FillPath Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414399:414444 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VhUtTOt9jlKzyYN2v3e1XwPKrPbomHuYrA_aNwdiuoybfPHQKl8oC-5XvW5cRuUUSf4dphIRth-LtjIVnUMwUSVAtyCLWMA5hkyyhVOtVFv3jU12xxLXX2JoD-vKvQsRFA8wUoVy3OD2R8dWQjvgVhfDKRw?testcase_id=4982316525158400 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 26 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mmohammad@chromium.org
, Aug 25 2016Owner: reed@chromium.org
Status: Assigned (was: Untriaged)