Float-cast-overflow in blink::SVGLengthContext::convertValueToUserUnits |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5507087070396416 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGLengthContext::convertValueToUserUnits blink::SVGLengthTearOff::value valueAttributeGetter Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (2.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9438VUiOzoodHnNA6YieG0_4pa8QEU1jPwDdH8DgizRUduv2gnMBeit7WuIPCkQ0K9GeJCCNF-IIyKEqdPU0yHRMRu0kz35-2Y9XIZ3koVYuaiqBMJjJqEHIvBggpdBh-PpKS-UgR7OfYIwyhqOV9GtsMXvSA?testcase_id=5507087070396416 Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
,
Dec 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/44dabf826136f0ddfab6f908036b68c7dce9a616 commit 44dabf826136f0ddfab6f908036b68c7dce9a616 Author: fs <fs@opera.com> Date: Wed Dec 21 08:49:36 2016 Use double precision in SVGLengthContext::convertValueToUserUnits This method does a bunch of <float> * <double> operations, which tickles UBSANs float-overflow warning when the result is stored back into the float (single precision) local variable. We clamp the result to a narrow enough range already at the end (and hence won't see any effects of the overflow, at least assuming IEEE754), but might as well use a double precision local variable, since that actually seems to save a few instructions while also avoiding the overflowing conversion. BUG= 675140 Review-Url: https://codereview.chromium.org/2591663003 Cr-Commit-Position: refs/heads/master@{#440056} [delete] https://crrev.com/c5a2f126d6e96ef139e4211ff225169b810490f4/third_party/WebKit/LayoutTests/platform/linux/svg/custom/gradient-userSpaceOnUse-with-percentage-expected.png [delete] https://crrev.com/c5a2f126d6e96ef139e4211ff225169b810490f4/third_party/WebKit/LayoutTests/platform/win/svg/custom/gradient-userSpaceOnUse-with-percentage-expected.png [rename] https://crrev.com/44dabf826136f0ddfab6f908036b68c7dce9a616/third_party/WebKit/LayoutTests/svg/custom/gradient-userSpaceOnUse-with-percentage-expected.png [modify] https://crrev.com/44dabf826136f0ddfab6f908036b68c7dce9a616/third_party/WebKit/Source/core/svg/SVGLengthContext.cpp
,
Dec 22 2016
ClusterFuzz has detected this issue as fixed in range 440046:440059. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5507087070396416 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGLengthContext::convertValueToUserUnits blink::SVGLengthTearOff::value valueAttributeGetter Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440046:440059 Minimized Testcase (2.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9438VUiOzoodHnNA6YieG0_4pa8QEU1jPwDdH8DgizRUduv2gnMBeit7WuIPCkQ0K9GeJCCNF-IIyKEqdPU0yHRMRu0kz35-2Y9XIZ3koVYuaiqBMJjJqEHIvBggpdBh-PpKS-UgR7OfYIwyhqOV9GtsMXvSA?testcase_id=5507087070396416 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 22 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by dtapu...@chromium.org
, Dec 19 2016