New issue
Advanced search Search tips

Issue 643587 link

Starred by 1 user
Status: Verified
Owner:
jbroman@chromium.org
Closed: Sep 2016
Cc:
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Integer-overflow in blink::FEGaussianBlur::mapRect

Project Member Reported by ClusterFuzz, Sep 2 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6055523575398400

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::FEGaussianBlur::mapRect
  blink::FilterEffect::mapRectRecursive
  blink::ReferenceFilterOperation::mapRect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95MV4qKOOl2Itj8dXO_dLIvqL2o_KJohd3Dd8skNntOzPYWcUfjTxF1MqDNGEsyauGmicCZF-ydyTvvgm1T9q0OD2Z7PAc1O0m1xoJSEnEkdQGuIJJZgjKu4E5na0zx_DLZYXa6W484N6r7GN1vG4b9wAaGUA?testcase_id=6055523575398400
<svg>
   <filter id=blurY>
    <feGaussianBlur stdDeviation=2677162610.72>
 <img style="-webkit-filter: url(#blurY);">


Issue manually filed by: msrchandra

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Sep 2 2016

Components: Tools>Test>FindIt>NoResult Blink>Paint
Labels: -Type-Bug findit-wrong Te-Logged Type-Bug-Regression
Owner: jbroman@chromium.org
Status: Assigned (was: Untriaged)
Unable to find the suspect from CL and find it.
Providing find it results for internal purpose.
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: a.cavalcanti@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/8468448a90bd67c4c595be48b6d6533926679156
Time: Thu Mar 27 18:51:08 2014
The CL last changed line 85 of file FEGaussianBlur.cpp, which is stack frame 0.

Author: schenney@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/49f8882b47d5da2b5b689b1df188c70a8034044d
Time: Fri Dec 06 12:31:11 2013
The CL last changed line 97 of file FilterEffect.cpp, which is stack frame 1.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/42b8b79d8538d508b2d660e3dab12e8d0839bfaf
Time: Tue Apr 12 00:11:23 2016
The CL last changed line 65 of file FilterOperation.cpp, which is stack frame 2.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/42b8b79d8538d508b2d660e3dab12e8d0839bfaf
Time: Tue Apr 12 00:11:23 2016
The CL last changed line 97 of file FilterOperations.cpp, which is stack frame 3.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/42b8b79d8538d508b2d660e3dab12e8d0839bfaf
Time: Tue Apr 12 00:11:23 2016
The CL last changed line 99 of file FilterOperations.cpp, which is stack frame 5.

Author: jbroman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/42b8b79d8538d508b2d660e3dab12e8d0839bfaf
Time: Tue Apr 12 00:11:23 2016
The CL last changed line 2765 of file PaintLayer.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Paint

Using Code Search for the file "FEGaussianBlur.cpp" assigning to the concern owner.
Suspecting Commit# 26a7c61ac75372f18bd45fa59a643015759028d7
Suspecting Review URL# https://codereview.chromium.org/1897333002

@jbroman -- Could you please look into the issue. Pardon me if it has nothing to do with your changes.
Thank You.
Project Member

Comment 3 by ClusterFuzz, Sep 7 2016 

ClusterFuzz has detected this issue as fixed in range 416628:416781.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6055523575398400

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::FEGaussianBlur::mapRect
  blink::FilterEffect::mapRectRecursive
  blink::ReferenceFilterOperation::mapRect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=416628:416781

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95MV4qKOOl2Itj8dXO_dLIvqL2o_KJohd3Dd8skNntOzPYWcUfjTxF1MqDNGEsyauGmicCZF-ydyTvvgm1T9q0OD2Z7PAc1O0m1xoJSEnEkdQGuIJJZgjKu4E5na0zx_DLZYXa6W484N6r7GN1vG4b9wAaGUA?testcase_id=6055523575398400
<svg>
   <filter id=blurY>
    <feGaussianBlur stdDeviation=2677162610.72>
 <img style="-webkit-filter: url(#blurY);">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Sep 7 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 5 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment