New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 657449 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in SkIRect::height

Project Member Reported by ClusterFuzz, Oct 19 2016

Issue description

Comment 1 by ajha@chromium.org, Oct 20 2016

Cc: ajha@chromium.org
Components: Internals>Skia
Labels: M-54
Owner: bsalomon@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: reed@android.com
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/8a1c16ff38322f0210116fa7293eb8817c7e477e
Time: Wed Dec 17 15:59:43 2008
The CL last changed line 78 of file SkRect.h, which is stack frame 0.

Author: reed
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/157f36d358814a2235aa6284b78a67b725076063
Time: Wed Oct 15 14:05:09 2014
The CL last changed line 80 of file SkRect.h, which is stack frame 1.

Author: mtklein
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/feaadee1c38e1d4e1ec0069a3509ef6fbc5fbeff
Time: Wed Apr 08 18:25:48 2015
The CL last changed line 643 of file SkCanvas.cpp, which is stack frame 2.

Author: mtklein
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/feaadee1c38e1d4e1ec0069a3509ef6fbc5fbeff
Time: Wed Apr 08 18:25:48 2015
The CL last changed line 58 of file SkRecorder.cpp, which is stack frame 3.

Author: mtklein
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/d711d115d28b9838303dcc232516aa2f552f3a2a
Time: Wed Jul 01 14:04:37 2015
The CL last changed line 44 of file SkPictureRecorder.cpp, which is stack frame 4.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 268 of file GraphicsContext.cpp, which is stack frame 5.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 49 of file DrawingRecorder.cpp, which is stack frame 6.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia
===========================================================

None of the above Find It result looks related.

Hence assigning to chromium//src/third_party/skia/OWNERS for help in further investigation.

Comment 2 by bsalo...@google.com, Oct 20 2016

Cc: bsalomon@chromium.org reed@chromium.org
Owner: mtklein@chromium.org
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Dec 14 2016

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5119371737563136

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkIRect::height
  size
  SkCanvas::resetForNextPicture
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97t_VfcUeH7i1F27i2VkqCC0wg8E1J3BG7HcZystXWKe2XREV_VnTaQN8k7ht5cEBUAFoQbl2ZXSolyGQIuiNGD_PJmzf6EvCAtk-u56yT2Y0nQt982YcfM8Mm3d8v9oLF7vF5uGahSxPLnypBkIc26FMIExw?testcase_id=5119371737563136

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Dec 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5119371737563136 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment