New issue
Advanced search Search tips

Issue 675130 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::SVGIntegerOptionalInteger::setValueAsString

Project Member Reported by ClusterFuzz, Dec 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5369490209767424

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::SVGIntegerOptionalInteger::setValueAsString
  blink::SVGAnimatedOrder::setBaseValueAsString
  blink::SVGElement::parseAttribute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97iGz9Z70LfUhHtw-GpcYZoBgCHlWO4_8crlAnLBfiEbUq0_jdT5_FEoWKnxHiOdC6aQCUlkj7ToNvOF5O7uu87KtggAktQLGYrvaDe4JSNYwpnAoGMI08bA2ryb0zS1TaRnJwKNz50O9_6ByLwZUocEFwBGg?testcase_id=5369490209767424
<script>
tCF49 = document.createElementNS("http://www.w3.org/2000/svg", "feConvolveMatrix");
tCF49.setAttribute("order", "2147483578");
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by f...@opera.com, Dec 19 2016

Components: Blink>SVG
Owner: f...@opera.com
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by bugdroid1@chromium.org, Dec 19 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c81442affec64a78e310df6c7dfd5a05ff520cf4

commit c81442affec64a78e310df6c7dfd5a05ff520cf4
Author: fs <fs@opera.com>
Date: Mon Dec 19 20:07:23 2016

Stricter float-to-int conversion in SVGIntegerOptionalInteger

SVGIntegerOptionalInteger parses values as floats but stores them as
integers. Add helpers to avoid issues with overflow and to make this
conversion the same way in all places it's needed.
The "normal" parsing code would truncate the float value while the parsing
code for animation values would round. Make them both use truncation (and the
avoid duplicating the code.)

BUG= 675130 

Review-Url: https://codereview.chromium.org/2590433002
Cr-Commit-Position: refs/heads/master@{#439533}

[add] https://crrev.com/c81442affec64a78e310df6c7dfd5a05ff520cf4/third_party/WebKit/LayoutTests/svg/dom/integer-optional-integer-value-range.html
[modify] https://crrev.com/c81442affec64a78e310df6c7dfd5a05ff520cf4/third_party/WebKit/Source/core/svg/SVGIntegerOptionalInteger.cpp

Project Member

Comment 3 by ClusterFuzz, Dec 20 2016

ClusterFuzz has detected this issue as fixed in range 439520:439552.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5369490209767424

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::SVGIntegerOptionalInteger::setValueAsString
  blink::SVGAnimatedOrder::setBaseValueAsString
  blink::SVGElement::parseAttribute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=439520:439552

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97iGz9Z70LfUhHtw-GpcYZoBgCHlWO4_8crlAnLBfiEbUq0_jdT5_FEoWKnxHiOdC6aQCUlkj7ToNvOF5O7uu87KtggAktQLGYrvaDe4JSNYwpnAoGMI08bA2ryb0zS1TaRnJwKNz50O9_6ByLwZUocEFwBGg?testcase_id=5369490209767424
<script>
tCF49 = document.createElementNS("http://www.w3.org/2000/svg", "feConvolveMatrix");
tCF49.setAttribute("order", "2147483578");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by f...@opera.com, Dec 20 2016

Status: Fixed (was: Assigned)

Sign in to add a comment