Integer-overflow in XRect_roundOut |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6705463188258816 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: XRect_roundOut SkScan::AntiFillXRect aa_square_proc Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570 Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv975mntPulcwCflDst79ZRqxIB9_n25Xq5d6EYU4f4PocVcZWpg4jVLsUacBtcjXP6HjYDRNToNC_sFR_0Ofaou4p8B1hdtOERq0mG2Tj3SYWMdXPuObq-iuCOkL0dqpyAj_ds9uj4Malc35yOa_lE0mjDXGpQ?testcase_id=6705463188258816 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 15 2016
We can definitely rule that CL out. It's a complete no-op refactor in terms of behavior... it should generate identical binary output.
,
Oct 4 2016
Unable to find actual suspect for this issue, so marking it as available and adding Needs-triage label
,
Oct 5 2016
SkRecordDraw.cpp file is not accessible, so assigning to owners of //src/third_party/skia/ the file. reed@, could you please take a look and help us to find right owner for this issue.
,
Oct 5 2016
,
Oct 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 18 2017
ClusterFuzz has detected this issue as fixed in range 456626:457730. Detailed report: https://clusterfuzz.com/testcase?key=6705463188258816 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: XRect_roundOut SkScan::AntiFillXRect aa_square_proc Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=398502:398570 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=456626:457730 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv975mntPulcwCflDst79ZRqxIB9_n25Xq5d6EYU4f4PocVcZWpg4jVLsUacBtcjXP6HjYDRNToNC_sFR_0Ofaou4p8B1hdtOERq0mG2Tj3SYWMdXPuObq-iuCOkL0dqpyAj_ds9uj4Malc35yOa_lE0mjDXGpQ?testcase_id=6705463188258816 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 18 2017
ClusterFuzz testcase 6705463188258816 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mummare...@chromium.org
, Sep 15 2016Labels: M-54 Te-Logged
Owner: mtklein@chromium.org
Status: Assigned (was: Untriaged)