New issue
Advanced search Search tips

Issue 656759 link

Starred by 1 user
Status: WontFix
Owner:
danakj@chromium.org
Closed: Jan 2017
Cc:
pdr@chromium.org
bokan@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::Region::Shape blink::Region::Shape::shapeOperation<blink::Region::Shape::

Project Member Reported by ClusterFuzz, Oct 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6582320914235392

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::Region::Shape blink::Region::Shape::shapeOperation<blink::Region::Shape::
  unionShapes
  blink::Region::unite
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZqqSGcQWxVIyuQBhkQyeadQU3DBDgN7YbjFQcE2rR_G6hudgbZ183H4JGIQ_MaFk3kkYHvAzK4zsxaGTdgCEiVOTOQ0x-ALZp5V--MMI0DT6dzphmRdj6pNI4u1Vhy90crwogBznTzpM-OrBRkEw8LkuijA?testcase_id=6582320914235392

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Oct 17 2016

Owner: danakj@chromium.org
Status: Assigned (was: Untriaged)
danakj@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by danakj@chromium.org, Jan 9 2017

Cc: bokan@chromium.org pdr@chromium.org
ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion is building a region that is larger than MAX_INT in height, which is of course not representable anymore.

shouldHandleScrollGestureOnMainThreadRegion.unite(box) <-- this is called twice, with the following two rects in this case:

[1:1:0109/144842.168061:531148352318:ERROR:ScrollingCoordinator.cpp(904)] "2130640896,-33521678 32768x33554432"
[1:1:0109/144842.168303:531148352512:ERROR:ScrollingCoordinator.cpp(904)] "2130657408,2130673536 16826239x65536"

I'm not sure we want region to silently clamp things. I can change Region to no longer overflow but then IntRect does instead. Maybe that's the level we want to clamp? Or should the ScrollingCoordinator have to deal with this?

I think +pdr has looked at some of this stuff in blink before. And +bokan for scrolling.
overflow-region.diff
2.2 KB Download

Comment 4 by bokan@chromium.org, Jan 9 2017 

We've been closing these as WontFix (e.g.  issue 634803 ). The real fix should be to clamp these numbers in the parser.

Comment 5 by danakj@chromium.org, Jan 9 2017

Status: WontFix (was: Assigned)
Ok, I guess we're not going to clamp them then though.

Sign in to add a comment