Undefined-shift in sfntly::ReadableFontData::ReadLong |
|||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5858199402184704 Fuzzer: libfuzzer_sfntly_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: sfntly::ReadableFontData::ReadLong sfntly::FontFactory::LoadCollectionForBuilding sfntly::FontFactory::LoadCollectionForBuilding Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94j9-KhkCi9yzzAiLj2bO9tEUJK3WYevAt9sMORpIP_ElP8Uk_7x-G2E442HhIc8jwQHOyBCRaUDLexNFr5FAXfLue633B2FnxbTbHzjZWhB_MppTNfKIOYFB0KYOatwlWJCo0grKrRU_suP3842ZSNvt_nWA?testcase_id=5858199402184704 Additional requirements: Requires Gestures Issue manually filed by: tkonchada See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 13 2016
,
Sep 14 2016
behdad: Let me know if you want to review the attached patches for this and bug 646347 via a GitHub pull request or by some other means. No rush.
,
Oct 19 2016
Fix some more UBSAN errors in my revised patch.
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0c0e20baae5cfc32465e84d0e56a82ab874788e9 commit 0c0e20baae5cfc32465e84d0e56a82ab874788e9 Author: thestig <thestig@chromium.org> Date: Tue Oct 25 01:05:52 2016 Roll DEPS for sfntly 1ef790a..e33ba7a https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. d651349 Check for negative size in NameTable::NameAsBytes. 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. 6d1efaa Fix out of bound access in subtly sample program. cafc4c8 Merge pull request #59 from HalCanary/pronounciation 7d5169e README: pronounciation guide BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 TBR=behdad@chromium.org Review-Url: https://codereview.chromium.org/2444123002 Cr-Commit-Position: refs/heads/master@{#427203} [modify] https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9/DEPS
,
Oct 25 2016
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00b023067c9a330d2041c81871b2804591522416 commit 00b023067c9a330d2041c81871b2804591522416 Author: thestig <thestig@chromium.org> Date: Tue Oct 25 07:26:30 2016 Revert of Roll DEPS for sfntly 1ef790a..e33ba7a (patchset #1 id:1 of https://codereview.chromium.org/2444123002/ ) Reason for revert: Broke some font rendering. e.g. https://crbug.com/659006 Original issue's description: > Roll DEPS for sfntly 1ef790a..e33ba7a > > https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a > > e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug > 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. > d651349 Check for negative size in NameTable::NameAsBytes. > 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. > 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. > 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. > 6d1efaa Fix out of bound access in subtly sample program. > cafc4c8 Merge pull request #59 from HalCanary/pronounciation > 7d5169e README: pronounciation guide > > BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 > TBR=behdad@chromium.org > > Committed: https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9 > Cr-Commit-Position: refs/heads/master@{#427203} TBR=behdad@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 Review-Url: https://codereview.chromium.org/2445303002 Cr-Commit-Position: refs/heads/master@{#427296} [modify] https://crrev.com/00b023067c9a330d2041c81871b2804591522416/DEPS
,
Oct 25 2016
,
Oct 25 2016
ClusterFuzz has detected this issue as fixed in range 427165:427235. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5858199402184704 Fuzzer: libfuzzer_sfntly_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: sfntly::ReadableFontData::ReadLong sfntly::FontFactory::LoadCollectionForBuilding sfntly::FontFactory::LoadCollectionForBuilding Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=414214:414310 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=427165:427235 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94j9-KhkCi9yzzAiLj2bO9tEUJK3WYevAt9sMORpIP_ElP8Uk_7x-G2E442HhIc8jwQHOyBCRaUDLexNFr5FAXfLue633B2FnxbTbHzjZWhB_MppTNfKIOYFB0KYOatwlWJCo0grKrRU_suP3842ZSNvt_nWA?testcase_id=5858199402184704 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 25 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 25 2016
,
Oct 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7ac63a352e7556a68224284af29db855b400a679 commit 7ac63a352e7556a68224284af29db855b400a679 Author: thestig <thestig@chromium.org> Date: Wed Oct 26 21:42:15 2016 Roll DEPS for sfntly 1ef790a..6e98497 6e98497 Merge pull request #61 from leizleiz/leizleiz-tablefix ebaa364 Fix breakage from commit 083b02b1. e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. d651349 Check for negative size in NameTable::NameAsBytes. 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. 6d1efaa Fix out of bound access in subtly sample program. cafc4c8 Merge pull request #59 from HalCanary/pronounciation 7d5169e README: pronounciation guide BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 , 659006 TBR=behdad@chromium.org Review-Url: https://codereview.chromium.org/2452873003 Cr-Commit-Position: refs/heads/master@{#427819} [modify] https://crrev.com/7ac63a352e7556a68224284af29db855b400a679/DEPS
,
Oct 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by tkonch...@chromium.org
, Sep 13 2016Labels: M-54 Findit-for-crash Te-Logged
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)