Integer-overflow in _hb_ot_shape_fallback_spaces |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4788735084593152 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: _hb_ot_shape_fallback_spaces hb_ot_shape_internal _hb_ot_shape Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.05 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv963hM2BTgOfWgIX4DutmHZ4QccMMjA5PU8C5Lutder3scS4kK7kXvUVfA9fW-o7fCxLHIRDkUXxpmzvRefpo-jT4MpMlwygCgvTkkaaxwLDQKwukFk7TMWQo-SafST0UbM4ef2JdlHH0lxWmRiWNj9LEnfpjQ?testcase_id=4788735084593152 <style>* { zoom: 190652441; </style> K  Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 25 2016
Looks like there is another angle to create a giant font using the CSS zoom syntax. We have one way of clamping font sizes now to 10000 on the CSS side where we parse font size values, but we would need to introduce more clamping elsewhere in order to avoid those. Is there a way HarfBuzz could safely bail for too large values, so that we don't have to clamp to somewhat arbitrary values higher up?
,
Sep 5 2016
The best way might be to move the limit check to exactly when you are creating Skia and HarfBuzz fonts.
,
Oct 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
ClusterFuzz testcase 4788735084593152 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Aug 25 2016Status: Assigned (was: Untriaged)