New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 656191 link

Starred by 1 user
Status: WontFix
Owner:
wkorman@chromium.org
Last visit > 30 days ago
Closed: Oct 2016
Cc:
pdr@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::inflateX

Project Member Reported by ClusterFuzz, Oct 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4577232611966976

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::inflateX
  inflate
  blink::ObjectPainter::paintOutline
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96NcZmFpjAAStoAT1X4nnndLi5WYZNfNqdP6H2EEFmB51q3_mm6tzEE5Jdvar-zYGJpW_UEffmlEFgeVOfgwvVjBBekdrzBg6BhhK8hYsq54vA2sQNdzU4dOWCFFIYDLd65Ovk6V467hxWDfDtx0HxeF3JAZg?testcase_id=4577232611966976

Additional requirements: Requires Gestures

Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Oct 14 2016

Components: Tools>Test>FindIt>WrongResult Blink>Paint
Labels: M-54 Te-Logged
Owner: wkorman@chromium.org
Status: Assigned (was: Untriaged)
Suspected CL is
https://chromium.googlesource.com/chromium/src/+/c38aced892d8066f08f3babe797d0daca9f66611

wkorman@, could you please take a look and help us to find correct owner if it is not related your changes.

Comment 2 by wkorman@chromium.org, Oct 17 2016

Cc: pdr@chromium.org
Status: WontFix (was: Assigned)
Two notes:

- we discussed ubsan int overflow issues in paint code like this recently with aarya@ team and noted we believe these to be safe and will close as WontFix.

- the suspected CL was aimed at fixing these overflows, rather than causing; but, also, the ObjectPainter portion was subsequently reverted in https://codereview.chromium.org/2408373002/

Comment 3 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment