Integer-overflow in gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5552426763681792 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage2D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Minimized Testcase (10.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9400DHO_pdfH6zoT2FzhX8J6pGZ1VS7uiAawvgz2kqecRap12J8kFtLZa9s6Hm-5lu8shb67mS5lIDoHNsOyWjZLxhstxUCr6bSe-jN4SQsBCyYf8oa3UMQW-zk1wz7byDNePfl0cs9SqLC5Fzzhkf6gWB27A?testcase_id=5552426763681792 Issue manually filed by: piman See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 5 2016
ClusterFuzz has detected this issue as fixed in range 422937:423055. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5552426763681792 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage2D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=422937:423055 Minimized Testcase (10.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9400DHO_pdfH6zoT2FzhX8J6pGZ1VS7uiAawvgz2kqecRap12J8kFtLZa9s6Hm-5lu8shb67mS5lIDoHNsOyWjZLxhstxUCr6bSe-jN4SQsBCyYf8oa3UMQW-zk1wz7byDNePfl0cs9SqLC5Fzzhkf6gWB27A?testcase_id=5552426763681792 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 5 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 11 2016
So, it's not so much that the bug itself was fixed, but a change (namely https://codereview.chromium.org/2221173002 ) shifted some command ids, basically making the same testcase exercise different code paths. That's fairly unavoidable with how we generate command ids today (though maybe we should aim towards only adding new commands at the end of the list). Fuzzer found the bug again after a few days though: https://bugs.chromium.org/p/chromium/issues/detail?id=654792
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by piman@chromium.org
, Sep 27 2016