New issue
Advanced search Search tips

Issue 664624 link

Starred by 1 user
Status: Verified
Owner:
vmp...@chromium.org
Closed: Dec 2016
Cc:
ifratric@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in gfx::ScaleToEnclosingRect

Project Member Reported by ClusterFuzz, Nov 11 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6322523127152640

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::ScaleToEnclosingRect
  cc::PictureLayerTiling::CreateMissingTilesInLiveTilesRect
  cc::PictureLayerTilingSet::UpdateTilingsToCurrentRasterSourceForCommit
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=431241:431431

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96MK4W0utG7rOLFt-RREut9TFxebNbtpF0_Lxm9XM8a5m08xnKJF_wuvb-yz-XFSyXdeKGhyEdz5Dpjd27E5FeAweC7JqGmkySzwUb7j5J-aWksont8Oi_s_XDAgIPITZFV82mUKM5JKFWvlutfklbaUew76w?testcase_id=6322523127152640

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Nov 12 2016

Components: Internals>Compositing>Rasterization
Labels: Test-Predator-Correct M-56
Owner: vmp...@chromium.org
Status: Assigned (was: Untriaged)
Author: vmpstr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/a0c89995ac1b48c6886c0b339329bfdd42c27e7d
Time: Thu Nov 10 23:05:14 2016
Lines 129-130 of file picture_layer_tiling.cc which potentially caused crash are changed in this cl (frame #1, "cc::PictureLayerTiling::CreateMissingTilesInLiveTilesRect").

Files picture_layer_impl.cc, picture_layer_tiling_set.cc are changed in this cl (and is part of stack frame #3, "cc::PictureLayerImpl::UpdateRasterSource")
Minimum distance from crash line to modified line: 0. (file: picture_layer_tiling.cc, crashed on: 129, modified: 129).

Suspected Project: chromium
Suspected Component: Internals>Compositing>Rasterization
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by ClusterFuzz, Dec 29 2016 

ClusterFuzz has detected this issue as fixed in range 440924:440933.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6322523127152640

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::ScaleToEnclosingRect
  cc::PictureLayerTiling::CreateMissingTilesInLiveTilesRect
  cc::PictureLayerTilingSet::UpdateTilingsToCurrentRasterSourceForCommit
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=431241:431431
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440924:440933

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96MK4W0utG7rOLFt-RREut9TFxebNbtpF0_Lxm9XM8a5m08xnKJF_wuvb-yz-XFSyXdeKGhyEdz5Dpjd27E5FeAweC7JqGmkySzwUb7j5J-aWksont8Oi_s_XDAgIPITZFV82mUKM5JKFWvlutfklbaUew76w?testcase_id=6322523127152640

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Dec 29 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6322523127152640 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment