Integer-overflow in gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage3D |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5660343605133312 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage3D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage3D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=412198:412320 Minimized Testcase (1.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv955nmChmRV2LVmK8zI6to9W_f1IwzJWfIoodFlJ-bK6140ebqjADqMMUVntYOK2NW2pB41Z9QnNJ-mveR01wDmqCqeMDVrWRI7A6KUX5dLC-iCUoVLpBSvzK6DsUp2D7PN20i0B9sYHrRA7rpKnsGLBcd7ytQ?testcase_id=5660343605133312 Issue manually filed by: piman See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 11 2016
,
Oct 12 2016
,
Oct 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/383d5dae3a02d516009ec4ae517e0a433877144f commit 383d5dae3a02d516009ec4ae517e0a433877144f Author: zmo <zmo@chromium.org> Date: Wed Oct 12 18:35:43 2016 Use gfx::Rect::Intersect() to clip for CopyTex{Sub}Image functions. Also, if after the clipping, the area is empty, then no need to process further for *Sub* functions - this gets rid of the overflow issues in the following numerical computation. BUG= 654792 , 654791 TEST=gpu_unittests,webgl_conformance,affected gpu_fuzzer R=piman@chromium.org CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2418433002 Cr-Commit-Position: refs/heads/master@{#424798} [modify] https://crrev.com/383d5dae3a02d516009ec4ae517e0a433877144f/gpu/command_buffer/service/gles2_cmd_decoder.cc [modify] https://crrev.com/383d5dae3a02d516009ec4ae517e0a433877144f/gpu/command_buffer/service/texture_manager.cc
,
Oct 13 2016
ClusterFuzz has detected this issue as fixed in range 424785:424869. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5660343605133312 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage3D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage3D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=412198:412320 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=424785:424869 Minimized Testcase (1.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv955nmChmRV2LVmK8zI6to9W_f1IwzJWfIoodFlJ-bK6140ebqjADqMMUVntYOK2NW2pB41Z9QnNJ-mveR01wDmqCqeMDVrWRI7A6KUX5dLC-iCUoVLpBSvzK6DsUp2D7PN20i0B9sYHrRA7rpKnsGLBcd7ytQ?testcase_id=5660343605133312 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by piman@chromium.org
, Oct 11 2016