Float-cast-overflow in SubpixelAlignment |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5036377780781056 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: SubpixelAlignment SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944k-iw2LUcoaLN2xmaiR7gyFU5Uw7yqq-Q4txz5vNm8pRJt5SUnAzd-h6-3sc9Y0L4zoXUB_DcPiLVBuEpShoCAeBvMdmvGeB7mYxPiF-IV2wIC8wpRz5NwG8_MUhHuIRL8RM9dQHCojLvx24uvtiPbkDSEQ?testcase_id=5036377780781056 Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 21 2016
,
Dec 21 2016
This is a result of trying to place subpixel positioned glyphs at infinity. At some point we try to discover what the subpixel position of the glyph is and cast that to an integer, but in this case that subpixel position turned out to be NaN. While this is technically undefined behavior, it turns out that the effect is that glyphs at infinity won't be subpixel positioned correctly.
,
Dec 21 2016
The following revision refers to this bug: https://skia.googlesource.com/skia.git/+/49e59b2df4065d856e4e03d433f2facd2a5548ca commit 49e59b2df4065d856e4e03d433f2facd2a5548ca Author: Herb Derby <herb@google.com> Date: Wed Dec 21 22:00:06 2016 Protect glyph sub-pixel placement against NaN and Inf. BUG= chromium:675106 Change-Id: I3f8f2575ca3d1b02615be00d66cf7a123407c5a3 Reviewed-on: https://skia-review.googlesource.com/6404 Reviewed-by: Ben Wagner <bungeman@google.com> Commit-Queue: Herb Derby <herb@google.com> [modify] https://crrev.com/49e59b2df4065d856e4e03d433f2facd2a5548ca/src/core/SkFindAndPlaceGlyph.h
,
Dec 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/24028a99d56f975c34697022bb311de6812e8544 commit 24028a99d56f975c34697022bb311de6812e8544 Author: skia-deps-roller <skia-deps-roller@chromium.org> Date: Thu Dec 22 00:05:03 2016 Roll src/third_party/skia/ 0857527e8..99c9796dd (4 commits). https://skia.googlesource.com/skia.git/+log/0857527e8676..99c9796dde4c $ git log 0857527e8..99c9796dd --date=short --no-merges --format='%ad %ae %s' 2016-12-21 rmistry Revert "Revert "Fix issue in SkDebugCanvas where filter canvas prevents GrOp bounds from drawing"" 2016-12-21 rmistry Revert "Fix issue in SkDebugCanvas where filter canvas prevents GrOp bounds from drawing" 2016-12-21 herb Protect glyph sub-pixel placement against NaN and Inf. 2016-12-21 bsalomon Fix issue in SkDebugCanvas where filter canvas prevents GrOp bounds from drawing BUG= 675106 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel TBR=rmistry@google.com Review-Url: https://codereview.chromium.org/2593223002 Cr-Commit-Position: refs/heads/master@{#440271} [modify] https://crrev.com/24028a99d56f975c34697022bb311de6812e8544/DEPS
,
Dec 22 2016
ClusterFuzz has detected this issue as fixed in range 440242:440280. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5036377780781056 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: SubpixelAlignment SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280 Minimized Testcase (0.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944k-iw2LUcoaLN2xmaiR7gyFU5Uw7yqq-Q4txz5vNm8pRJt5SUnAzd-h6-3sc9Y0L4zoXUB_DcPiLVBuEpShoCAeBvMdmvGeB7mYxPiF-IV2wIC8wpRz5NwG8_MUhHuIRL8RM9dQHCojLvx24uvtiPbkDSEQ?testcase_id=5036377780781056 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 22 2016
ClusterFuzz testcase 5036377780781056 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Dec 21 2016Components: Internals>Skia
Labels: Test-Predator-Correct-CLs
Owner: brianosman@chromium.org
Status: Assigned (was: Untriaged)