Issue metadata
Sign in to add a comment
|
Integer-overflow in blink::FEGaussianBlur::mapRect |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6055523575398400 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::FEGaussianBlur::mapRect blink::FilterEffect::mapRectRecursive blink::ReferenceFilterOperation::mapRect Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95MV4qKOOl2Itj8dXO_dLIvqL2o_KJohd3Dd8skNntOzPYWcUfjTxF1MqDNGEsyauGmicCZF-ydyTvvgm1T9q0OD2Z7PAc1O0m1xoJSEnEkdQGuIJJZgjKu4E5na0zx_DLZYXa6W484N6r7GN1vG4b9wAaGUA?testcase_id=6055523575398400 <svg> <filter id=blurY> <feGaussianBlur stdDeviation=2677162610.72> <img style="-webkit-filter: url(#blurY);"> Issue manually filed by: msrchandra See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/35370e15f2dc7f79a23bba93ac0d99417489c175 commit 35370e15f2dc7f79a23bba93ac0d99417489c175 Author: jbroman <jbroman@chromium.org> Date: Tue Sep 06 20:29:00 2016 Fix integer overflow in FEGaussianBlur::mapRect. This multiply should be done after the conversion to float, not before. BUG= 643587 Review-Url: https://codereview.chromium.org/2313883003 Cr-Commit-Position: refs/heads/master@{#416702} [modify] https://crrev.com/35370e15f2dc7f79a23bba93ac0d99417489c175/third_party/WebKit/Source/platform/graphics/filters/FEDropShadow.cpp [modify] https://crrev.com/35370e15f2dc7f79a23bba93ac0d99417489c175/third_party/WebKit/Source/platform/graphics/filters/FEGaussianBlur.cpp [modify] https://crrev.com/35370e15f2dc7f79a23bba93ac0d99417489c175/third_party/WebKit/Source/platform/graphics/filters/FilterOperation.cpp
,
Sep 7 2016
ClusterFuzz has detected this issue as fixed in range 416628:416781. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6055523575398400 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::FEGaussianBlur::mapRect blink::FilterEffect::mapRectRecursive blink::ReferenceFilterOperation::mapRect Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=416628:416781 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95MV4qKOOl2Itj8dXO_dLIvqL2o_KJohd3Dd8skNntOzPYWcUfjTxF1MqDNGEsyauGmicCZF-ydyTvvgm1T9q0OD2Z7PAc1O0m1xoJSEnEkdQGuIJJZgjKu4E5na0zx_DLZYXa6W484N6r7GN1vG4b9wAaGUA?testcase_id=6055523575398400 <svg> <filter id=blurY> <feGaussianBlur stdDeviation=2677162610.72> <img style="-webkit-filter: url(#blurY);"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 7 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by msrchandra@chromium.org
, Sep 2 2016Labels: -Type-Bug findit-wrong Te-Logged Type-Bug-Regression
Owner: jbroman@chromium.org
Status: Assigned (was: Untriaged)