New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 675139 link

Starred by 1 user
Status: WontFix
Owner:
schenney@chromium.org
Closed: Jan 2017
Cc:
reed@chromium.org
lukasza@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in WebCoreDoubleToSkScalar

Project Member Reported by ClusterFuzz, Dec 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5506706831572992

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  WebCoreDoubleToSkScalar
  blink::affineTransformToSkMatrix
  blink::GraphicsContext::concatCTM
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94H9T2eOHPPbD7uN34E2vcvMGwk3XdzH3F_ziU58psw0A3jTIaHX3a8VRHziV1W7r6PKNCBQyIUJWPlAVDi19gC8d3VbThf-YaPnANPx__pFH6qFb3wDFvrlnDXkoT6T1dr113xKVolvKrHXd1adgmHN8G6PA?testcase_id=5506706831572992

Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Dec 23 2016

Cc: msrchandra@chromium.org
Components: Blink>Layout
Labels: Test-Predator-Correct-CLs
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it.
The result is a list of CLs that change the crashed files. 

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3d4638361677cd371c0cea2030499a00c5e8ad13
Time: Fri Dec 02 16:53:36 2016
File LayoutView.cpp is changed in this cl (and is part of stack frame #4, "blink::LayoutView::paintBoxDecorationBackground")
Minimum distance from crash line to modified line: 25. (file: LayoutView.cpp, crashed on: 417, modified: 392). 

Author: reed
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/e9559d0c2c6dd8408d408b795c86f3ff7dfc178e
Time: Mon Dec 05 22:21:50 2016
File GraphicsContext.cpp is changed in this cl (and is part of stack frame #2, "blink::GraphicsContext::concatCTM")
Minimum distance from crash line to modified line: 67. (file: GraphicsContext.cpp, crashed on: 1261, modified: 1194).

@lukasza -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by lukasza@chromium.org, Dec 31 2016

Cc: lukasza@chromium.org
Owner: schenney@chromium.org
schenney@, could you PTAL?  This looks possibly related to  issue 675180  (also overflow in a paint/graphics-related transformation) although there are also some differences (int-vs-float overflow and transformation happening in paint-vs-skia code).

My change (mentioned in #c1 above) only renamed some identifiers and shouldn't have caused any behavior changes.  I hope that somebody from third_party/WebKit/Source/core/paint/OWNERS can take a look.

Comment 3 by lukasza@chromium.org, Dec 31 2016

Cc: reed@chromium.org
+reed@ to CC (based on #c1)

Comment 4 by schenney@chromium.org, Jan 3 2017 

I can look into this.

Comment 5 by schenney@chromium.org, Jan 17 2017

Status: WontFix (was: Assigned)
The change that caused ubsan to start catching float overflow has been reverted, so this is now showing up as fixed by clusterfuzz.

In any event, the problem is with SkDoubleToScalar:
inline SkScalar WebCoreDoubleToSkScalar(double d) {
  return SkDoubleToScalar(std::isfinite(d) ? d : 0);
}

Any overflow check should appear in SkDoubleToScalar.

Sign in to add a comment