New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 665432 link

Starred by 1 user
Status: WontFix
Owner:
trchen@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
Cc:
ifratric@google.com
msrchandra@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntPoint::move

Project Member Reported by ClusterFuzz, Nov 15 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6074533544198144

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntPoint::move
  blink::operator+=
  blink::PartPainter::paintContents
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410031:410187

Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96u_RiOW0kGqCzvN7sBqUTd4qQ0_9rjlpZDq_0RLMUFBFZ6RQpBb0fl7a8Lv0kGSuzHcyciRbY4v7-dA4SzqDEZ_d1e9SKU-Ad76MuVcpbhSJDDE_nBMudZXh-zPVM7MRCaQTCfMByIJktPw-1YFWuglELAow?testcase_id=6074533544198144

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Nov 15 2016

Cc: msrchandra@chromium.org
Components: Blink>Paint
Labels: Test-Predator-Correct-CLs
Owner: trchen@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from find it, below are the results --
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: trchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e0614750c320abba64d4f0280e2b82b7c37f3125
Time: Fri Aug 05 21:33:11 2016
Lines 108-113 of file PartPainter.cpp which potentially caused crash are changed in this cl (frame #4, "blink::PartPainter::paint").

Lines 265-275 of file LayoutPart.cpp which potentially caused crash are changed in this cl (frame #3, "blink::LayoutPart::paintContents"; frame #5, "blink::LayoutPart::paint").
Minimum distance from crash line to modified line: 0. (file: LayoutPart.cpp, crashed on: 265, modified: 265).

Suspected Project: chromium
Suspected Component: Blink>Paint

@trchen -- Could you please look into the issue, kindly re-assign if it is not related to your changes.
Thank you.

Comment 2 by trchen@chromium.org, Nov 15 2016

Status: WontFix (was: Assigned)
The testcase contains a huge padding. Overflowing is expected.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Dec 14 2016 

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6074533544198144

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntPoint::move
  blink::operator+=
  blink::PartPainter::paintContents
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410031:410187
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96u_RiOW0kGqCzvN7sBqUTd4qQ0_9rjlpZDq_0RLMUFBFZ6RQpBb0fl7a8Lv0kGSuzHcyciRbY4v7-dA4SzqDEZ_d1e9SKU-Ad76MuVcpbhSJDDE_nBMudZXh-zPVM7MRCaQTCfMByIJktPw-1YFWuglELAow?testcase_id=6074533544198144

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment