New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 651608 link

Starred by 1 user
Status: Verified
Owner:
reed@chromium.org
Email to this user bounced
Closed: Mar 2017
Cc:
bsalomon@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in SkIRect::width

Project Member Reported by ClusterFuzz, Sep 29 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4768396556369920

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::width
  SkCanvas::internalSaveLayer
  SkCanvas::saveLayer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=400830:400850

Minimized Testcase (1.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94x37fSTrNBe2-5iga-9YvFoCXBs2TxqzDOEZQWoI5KdoepL4DkSm0p406QuDl94BuKO3BmExe68mIZRteQULIOt3gTj-CwyFsm8DW2SsIHefgUPMVYsD5B3LH6Xc4zBlPduysvQHwpmVbjZLw_-cPTuwmKOg?testcase_id=4768396556369920

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Sep 29 2016

Cc: bsalomon@chromium.org
Components: Tools>Test>FindIt>WrongResult Infra>Git Internals>Skia
Labels: M-55 Te-Logged
Owner: reed@chromium.org
Status: Assigned (was: Untriaged)
Author: reed@android.com
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/8a1c16ff38322f0210116fa7293eb8817c7e477e
Time: Wed Dec 17 15:59:43 2008
The CL last changed line 72 of file SkRect.h, which is stack frame 0.

Author: robertphillips
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/5139e501c5ac3a511e35c78395c907a176113451
Time: Tue Jul 19 12:10:40 2016
The CL last changed line 1255 of file SkCanvas.cpp, which is stack frame 1.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/4960eeec4a1f2a772654883d7f3615d47bcd5dc3
Time: Fri Dec 18 15:09:18 2015
The CL last changed line 1137 of file SkCanvas.cpp, which is stack frame 2.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/4960eeec4a1f2a772654883d7f3615d47bcd5dc3
Time: Fri Dec 18 15:09:18 2015
The CL last changed line 1123 of file SkCanvas.cpp, which is stack frame 3.

Author: ajuma
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5e77f7d4da0dab1154d866112888e3c5d0e3dfa2
Time: Thu Nov 27 14:19:14 2014
The CL last changed line 73 of file filter_display_item.cc, which is stack frame 4.

Author: wkorman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/971a9c9725e293bd89b7cb1475acdc502065e6b3
Time: Fri Aug 12 05:53:23 2016
The CL last changed line 142 of file display_item_list.cc, which is stack frame 5.

Author: trchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/772e085e184f7036e8714d45db38a97906cd7073
Time: Fri Jun 24 05:07:29 2016
The CL last changed line 199 of file raster_source.cc, which is stack frame 6.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia
Assigning to the owners of the path //src/third_party/skia/OWNERS.
reed@, could you please take a look and help us to find correct owner if it is not related your changes.

Comment 2 by infe...@chromium.org, Oct 11 2016

Labels: Pri-2

Comment 3 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by ClusterFuzz, Mar 31 2017 

ClusterFuzz has detected this issue as fixed in range 460997:461030.

Detailed report: https://clusterfuzz.com/testcase?key=4768396556369920

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::width
  SkCanvas::internalSaveLayer
  SkCanvas::saveLayer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=400830:400850
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=460997:461030

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94x37fSTrNBe2-5iga-9YvFoCXBs2TxqzDOEZQWoI5KdoepL4DkSm0p406QuDl94BuKO3BmExe68mIZRteQULIOt3gTj-CwyFsm8DW2SsIHefgUPMVYsD5B3LH6Xc4zBlPduysvQHwpmVbjZLw_-cPTuwmKOg?testcase_id=4768396556369920


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Mar 31 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4768396556369920 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment