Integer-overflow in SkOpSegment::updateOppWinding |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4799647753437184 Fuzzer: libfuzzer_skia_pathop_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkOpSegment::updateOppWinding SkOpSegment::activeOp bridgeOp Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=417606:417694 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zS_THE7fSf1bw9gl0tqdwLWnSzGj7CHjfKlmNWNBGh419hV-HS6KxRsK8Zx7Yy8pN5hxDVOEPMML_XUc9RkByi1OSqpy98wlylPvfffbwK79n-9aFSN06F6Dwkv5ARia9xtfugHa35YZE0ZSrIhjYVZxHqQ?testcase_id=4799647753437184 Issue manually filed by: mummareddy See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 16 2016
,
Sep 19 2016
,
Sep 19 2016
The following revision refers to this bug: https://skia.googlesource.com/skia.git/+/bbfe92bc1dd2b0a65e63b3caed9873dbc4df522a commit bbfe92bc1dd2b0a65e63b3caed9873dbc4df522a Author: caryclark <caryclark@google.com> Date: Mon Sep 19 13:00:35 2016 fix fuzzer bugs Add a couple more cases where Op() fails and returns false when the out of range input values make the internal numeric unstable. TBR=reed@google.com BUG= 647834 , 648068 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2348263002 Review-Url: https://codereview.chromium.org/2348263002 [modify] https://crrev.com/bbfe92bc1dd2b0a65e63b3caed9873dbc4df522a/src/pathops/SkOpCoincidence.cpp [modify] https://crrev.com/bbfe92bc1dd2b0a65e63b3caed9873dbc4df522a/tests/PathOpsOpTest.cpp
,
Sep 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c7397ecfff60fda69006f5cb837a99468fa4e6ca commit c7397ecfff60fda69006f5cb837a99468fa4e6ca Author: skia-deps-roller <skia-deps-roller@chromium.org> Date: Mon Sep 19 13:58:02 2016 Roll src/third_party/skia/ e7a781274..bbfe92bc1 (1 commit). https://chromium.googlesource.com/skia.git/+log/e7a7812744c2..bbfe92bc1dd2 $ git log e7a781274..bbfe92bc1 --date=short --no-merges --format='%ad %ae %s' 2016-09-19 caryclark fix fuzzer bugs BUG= 647834 , 648068 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel TBR=borenet@google.com Review-Url: https://codereview.chromium.org/2343413002 Cr-Commit-Position: refs/heads/master@{#419448} [modify] https://crrev.com/c7397ecfff60fda69006f5cb837a99468fa4e6ca/DEPS
,
Sep 19 2016
,
Sep 20 2016
ClusterFuzz has detected this issue as fixed in range 419427:419465. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4799647753437184 Fuzzer: libfuzzer_skia_pathop_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkOpSegment::updateOppWinding SkOpSegment::activeOp bridgeOp Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=417606:417694 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419427:419465 Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zS_THE7fSf1bw9gl0tqdwLWnSzGj7CHjfKlmNWNBGh419hV-HS6KxRsK8Zx7Yy8pN5hxDVOEPMML_XUc9RkByi1OSqpy98wlylPvfffbwK79n-9aFSN06F6Dwkv5ARia9xtfugHa35YZE0ZSrIhjYVZxHqQ?testcase_id=4799647753437184 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Sep 16 2016Labels: M-55 Te-Logged
Owner: caryclark@chromium.org
Status: Assigned (was: Untriaged)