New issue
Advanced search Search tips

Issue 660135 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::ChromePrintContext::spoolPage

Project Member Reported by ClusterFuzz, Oct 27 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6429163960664064

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ChromePrintContext::spoolPage
  blink::ChromePrintContext::spoolSinglePage
  printing::PrintWebViewHelper::RenderPageContent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=427353:427578

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97HrRPwNSI3vAkdAyEEklzMFH_rMafaFM2pKBw8WMzZDFBgZzVBOklcJOPtjeWQtqrvuWDsHr341XfdBvSjlnYNVchQHQ6CU4Yax9szifFk5iiwZcckhiXZb5U71C8B5q-6qSe3FtHLaJO4fTcmHRHmuN7omh-aUK9Lckz5jkrfW520w1c?testcase_id=6429163960664064


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: rbpotter@chromium.org
Status: Assigned (was: Untriaged)
rbpotter @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
Components: Internals>Printing
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f5080ac8257bc1dacb6045bdf2d2a3fedb95531

commit 2f5080ac8257bc1dacb6045bdf2d2a3fedb95531
Author: rbpotter <rbpotter@chromium.org>
Date: Sat Oct 29 04:22:29 2016

Printing: Fix undefined behavior for near 0 scaling.

Sometimes casting 0 integer value to a float results in a very
small number (on the order of 1e-312). This results in integer
overflows when this scaling is used. Check scaling against
0.01f instead of 0 since we know it has to be an integer/100.
If it is less than .01 the value must have been 0 (not set),
so set it to the default value (1.0).

Undefined behavior was introduced in:
https://crrev.com/427556

BUG= 660135 

Review-Url: https://codereview.chromium.org/2454293004
Cr-Commit-Position: refs/heads/master@{#428597}

[modify] https://crrev.com/2f5080ac8257bc1dacb6045bdf2d2a3fedb95531/components/printing/renderer/print_web_view_helper.cc
[modify] https://crrev.com/2f5080ac8257bc1dacb6045bdf2d2a3fedb95531/components/printing/renderer/print_web_view_helper.h
[modify] https://crrev.com/2f5080ac8257bc1dacb6045bdf2d2a3fedb95531/components/printing/renderer/print_web_view_helper_mac.mm

Project Member

Comment 4 by ClusterFuzz, Oct 29 2016

ClusterFuzz has detected this issue as fixed in range 428482:428575.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6429163960664064

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ChromePrintContext::spoolPage
  blink::ChromePrintContext::spoolSinglePage
  printing::PrintWebViewHelper::RenderPageContent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=427353:427578
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=428482:428575

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97HrRPwNSI3vAkdAyEEklzMFH_rMafaFM2pKBw8WMzZDFBgZzVBOklcJOPtjeWQtqrvuWDsHr341XfdBvSjlnYNVchQHQ6CU4Yax9szifFk5iiwZcckhiXZb5U71C8B5q-6qSe3FtHLaJO4fTcmHRHmuN7omh-aUK9Lckz5jkrfW520w1c?testcase_id=6429163960664064


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Oct 29 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment