New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 643443 link

Starred by 1 user
Status: Duplicate
Merged: issue 637985
Owner:
danakj@chromium.org
Closed: Sep 2016
Cc:
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in gfx::Rect::right

Project Member Reported by ClusterFuzz, Sep 1 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4691556584128512

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::Rect::right
  gfx::Rect::Intersects
  gfx::Rect::Subtract
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=405563:405613

Minimized Testcase (0.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96NGs4RxJz5mtG1KWfjnrVK_Yxcj3-kvUF-kIjsfbk132izH9LHv9srDvmHiXWKjK4FFie-5lXRw81FAJKXUxPpp8EW9VHwvuBx6CD5cdsMJ8MmAyTn_p2FzLPrIqo4XnJGqPgwrtnFKRkkM12TeCEScIY2xg?testcase_id=4691556584128512

Additional requirements: Requires HTTP

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Sep 1 2016

Components: Internals>Compositing>Rasterization
Labels: findit-wrong M-55 Te-Logged
Owner: pkasting@chromium.org
Status: Assigned (was: Untriaged)

Author: Peter Kasting
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/275539a60ec716bea022200fa650a409772a81bf
Time: Wed Jun 15 01:41:42 2016
The CL last changed line 77 of file rect.h, which is stack frame 0.

pkasting@, could you please take a look and please help us to find correct owner if it is not related your changes.

Comment 2 by pkasting@chromium.org, Sep 1 2016

Owner: danakj@chromium.org
Adding "constexpr" to function declarations does not change overflow behavior.

The compositor is trying to use a rect positioned near INT_MAX.  It's possible the geometry classes could try to detect this sort of overflow, but regardless, fundamentally the fix to avoid allowing this has to happen lower down at the layer consuming them.

->danakj to try to triage better

Comment 3 by danakj@chromium.org, Sep 1 2016

Mergedinto: 637985
Status: Duplicate (was: Assigned)
Ya we're fixing Rect to not overflow rather than playing whackamole with integer overflows all over the codebase. Patch just landed!
Project Member

Comment 4 by ClusterFuzz, Sep 3 2016 

ClusterFuzz has detected this issue as fixed in range 415934:416233.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4691556584128512

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::Rect::right
  gfx::Rect::Intersects
  gfx::Rect::Subtract
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=405563:405613
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=415934:416233

Minimized Testcase (0.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96NGs4RxJz5mtG1KWfjnrVK_Yxcj3-kvUF-kIjsfbk132izH9LHv9srDvmHiXWKjK4FFie-5lXRw81FAJKXUxPpp8EW9VHwvuBx6CD5cdsMJ8MmAyTn_p2FzLPrIqo4XnJGqPgwrtnFKRkkM12TeCEScIY2xg?testcase_id=4691556584128512

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment