Float-cast-overflow in blink::SVGIntegerOptionalInteger::setValueAsString |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5369490209767424 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGIntegerOptionalInteger::setValueAsString blink::SVGAnimatedOrder::setBaseValueAsString blink::SVGElement::parseAttribute Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97iGz9Z70LfUhHtw-GpcYZoBgCHlWO4_8crlAnLBfiEbUq0_jdT5_FEoWKnxHiOdC6aQCUlkj7ToNvOF5O7uu87KtggAktQLGYrvaDe4JSNYwpnAoGMI08bA2ryb0zS1TaRnJwKNz50O9_6ByLwZUocEFwBGg?testcase_id=5369490209767424 <script> tCF49 = document.createElementNS("http://www.w3.org/2000/svg", "feConvolveMatrix"); tCF49.setAttribute("order", "2147483578"); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c81442affec64a78e310df6c7dfd5a05ff520cf4 commit c81442affec64a78e310df6c7dfd5a05ff520cf4 Author: fs <fs@opera.com> Date: Mon Dec 19 20:07:23 2016 Stricter float-to-int conversion in SVGIntegerOptionalInteger SVGIntegerOptionalInteger parses values as floats but stores them as integers. Add helpers to avoid issues with overflow and to make this conversion the same way in all places it's needed. The "normal" parsing code would truncate the float value while the parsing code for animation values would round. Make them both use truncation (and the avoid duplicating the code.) BUG= 675130 Review-Url: https://codereview.chromium.org/2590433002 Cr-Commit-Position: refs/heads/master@{#439533} [add] https://crrev.com/c81442affec64a78e310df6c7dfd5a05ff520cf4/third_party/WebKit/LayoutTests/svg/dom/integer-optional-integer-value-range.html [modify] https://crrev.com/c81442affec64a78e310df6c7dfd5a05ff520cf4/third_party/WebKit/Source/core/svg/SVGIntegerOptionalInteger.cpp
,
Dec 20 2016
ClusterFuzz has detected this issue as fixed in range 439520:439552. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5369490209767424 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGIntegerOptionalInteger::setValueAsString blink::SVGAnimatedOrder::setBaseValueAsString blink::SVGElement::parseAttribute Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=439520:439552 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97iGz9Z70LfUhHtw-GpcYZoBgCHlWO4_8crlAnLBfiEbUq0_jdT5_FEoWKnxHiOdC6aQCUlkj7ToNvOF5O7uu87KtggAktQLGYrvaDe4JSNYwpnAoGMI08bA2ryb0zS1TaRnJwKNz50O9_6ByLwZUocEFwBGg?testcase_id=5369490209767424 <script> tCF49 = document.createElementNS("http://www.w3.org/2000/svg", "feConvolveMatrix"); tCF49.setAttribute("order", "2147483578"); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 20 2016
|
||
►
Sign in to add a comment |
||
Comment 1 by f...@opera.com
, Dec 19 2016Owner: f...@opera.com
Status: Assigned (was: Untriaged)