New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 658714 link

Starred by 1 user
Status: Fixed
Owner:
glebl@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::LayoutListItem::calcValue

Project Member Reported by ClusterFuzz, Oct 24 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4949437635100672

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutListItem::calcValue
  blink::LayoutListItem::updateValueNow
  blink::LayoutListItem::value
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv953AvokF7gdTV6WX4dDgeIKZfJc7GYxlPoA0xEsRbXrr4-1pTHv2u69TXZVcwvtORMEZJbraugvnVL6KohEUkWmgXj26Rhhz3Eba8JwIGwRKmv9cPXuYHiG9dbQpLHrIekYBa1S-LS_iqGQJINXtA28NSgDRA?testcase_id=4949437635100672

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Oct 27 2016

Components: Blink>Layout
Labels: M-55 Te-Logged
Owner: glebl@chromium.org
Status: Assigned (was: Untriaged)
Suspected CL
https://codereview.chromium.org/2328623003
glebl@, could you please take a look and help us to find correct owner if it is not related your changes.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 21 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e451db7ebedfa9a2b43b99f4c789cdde7ca97421

commit e451db7ebedfa9a2b43b99f4c789cdde7ca97421
Author: glebl <glebl@chromium.org>
Date: Tue Feb 21 19:41:07 2017

Make LayoutListItem::value to use SaturatedAddition to prevent integer overflow

The problem has been spotted by UBSan.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4949437635100672

BUG= 658714 

Review-Url: https://codereview.chromium.org/2695223007
Cr-Commit-Position: refs/heads/master@{#451822}

[modify] https://crrev.com/e451db7ebedfa9a2b43b99f4c789cdde7ca97421/third_party/WebKit/Source/core/layout/LayoutListItem.cpp

Comment 4 by glebl@chromium.org, Feb 21 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Feb 22 2017 

ClusterFuzz has detected this issue as fixed in range 451788:451857.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4949437635100672

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutListItem::calcValue
  blink::LayoutListItem::updateValueNow
  blink::LayoutListItem::value
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=451788:451857

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953AvokF7gdTV6WX4dDgeIKZfJc7GYxlPoA0xEsRbXrr4-1pTHv2u69TXZVcwvtORMEZJbraugvnVL6KohEUkWmgXj26Rhhz3Eba8JwIGwRKmv9cPXuYHiG9dbQpLHrIekYBa1S-LS_iqGQJINXtA28NSgDRA?testcase_id=4949437635100672


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment