Integer-overflow in gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6714769887461376 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage2D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Minimized Testcase (0.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YeYxvQpKtpe7bS9m9CBDjpYqbQ0uEqBjOLxMU7SvWRyFqhovMW3rPpuFMFMxo7GDvuq2mlWjtFJiGbVLFKHuhR-8jBjQ2FfJtjxFoj2r5zXfWCghEqKRtRfs3cwA-0iqIcoe-pAOUWf7BX2b5UJq0KdMOMg?testcase_id=6714769887461376 Issue manually filed by: piman See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 11 2016
Taking this one
,
Oct 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/383d5dae3a02d516009ec4ae517e0a433877144f commit 383d5dae3a02d516009ec4ae517e0a433877144f Author: zmo <zmo@chromium.org> Date: Wed Oct 12 18:35:43 2016 Use gfx::Rect::Intersect() to clip for CopyTex{Sub}Image functions. Also, if after the clipping, the area is empty, then no need to process further for *Sub* functions - this gets rid of the overflow issues in the following numerical computation. BUG= 654792 , 654791 TEST=gpu_unittests,webgl_conformance,affected gpu_fuzzer R=piman@chromium.org CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2418433002 Cr-Commit-Position: refs/heads/master@{#424798} [modify] https://crrev.com/383d5dae3a02d516009ec4ae517e0a433877144f/gpu/command_buffer/service/gles2_cmd_decoder.cc [modify] https://crrev.com/383d5dae3a02d516009ec4ae517e0a433877144f/gpu/command_buffer/service/texture_manager.cc
,
Oct 13 2016
ClusterFuzz has detected this issue as fixed in range 424785:424869. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6714769887461376 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoCopyTexSubImage2D gpu::gles2::GLES2DecoderImpl::HandleCopyTexSubImage2D gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=424785:424869 Minimized Testcase (0.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96YeYxvQpKtpe7bS9m9CBDjpYqbQ0uEqBjOLxMU7SvWRyFqhovMW3rPpuFMFMxo7GDvuq2mlWjtFJiGbVLFKHuhR-8jBjQ2FfJtjxFoj2r5zXfWCghEqKRtRfs3cwA-0iqIcoe-pAOUWf7BX2b5UJq0KdMOMg?testcase_id=6714769887461376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by piman@chromium.org
, Oct 11 2016