Float-cast-overflow in genericParseNumber<unsigned |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6080717147865088 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: genericParseNumber<unsigned blink::parseNumber blink::SVGParsingError blink::SVGNumber::parse<unsigned char> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.35 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv945a1Uqc3Q0p4FlX5PE6E_qKjDZAIySki_8eAwC1A976sDWtOsKBfcs6HtncYok53anHmqtrSnwU_IfVHz_dTlNghu47OhqGC23g4-FfYDfDI1h_c1O5YMdbz56QWtfxU4bS9N9sUR5nVXGXuR7shXmq_8spw?testcase_id=6080717147865088 <template id=target-template> <svg> <feFuncR class=target></template> <script src=../svg-attribute-interpolation/resources/interpolation-test.js></script> <script> assertAttributeInterpolation({ property: 'amplitude', from: neutralKeyframe, to: '65386'}, [ { is: 6677478477604165027902943687621673364418956426463191372489307581782199}]); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
,
Dec 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/57f9189c8edf1db60a0f4e1c3c4c7dbda6d47c6e commit 57f9189c8edf1db60a0f4e1c3c4c7dbda6d47c6e Author: fs <fs@opera.com> Date: Mon Dec 19 19:33:48 2016 Use a stricter limit for the exponent range in genericParseNumber The exponent was being checked against numeric_limits<...>::max_exponent which is the power-of-two limit. Use max_exponent10 instead. Also make sure to apply any exponent sign prior to the range check so that min_exponent10 can be used as the lower bound. This means computing the base number before checking for/parsing the exponent part. This could be slower in some cases, but reasonably only when an error is encountered. Also, scientific notation should be fairly scarce to begin with. Also move declarations of local variables closer to their first use (and in the inner-most scope possible.) Unravel the handling of/accumulation into 'frac' when computing the decimal part. BUG= 675174 Review-Url: https://codereview.chromium.org/2588023002 Cr-Commit-Position: refs/heads/master@{#439522} [modify] https://crrev.com/57f9189c8edf1db60a0f4e1c3c4c7dbda6d47c6e/third_party/WebKit/Source/core/svg/SVGParserUtilities.cpp
,
Dec 20 2016
ClusterFuzz has detected this issue as fixed in range 439520:439552. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6080717147865088 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: genericParseNumber<unsigned blink::parseNumber blink::SVGParsingError blink::SVGNumber::parse<unsigned char> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=439520:439552 Minimized Testcase (0.35 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv945a1Uqc3Q0p4FlX5PE6E_qKjDZAIySki_8eAwC1A976sDWtOsKBfcs6HtncYok53anHmqtrSnwU_IfVHz_dTlNghu47OhqGC23g4-FfYDfDI1h_c1O5YMdbz56QWtfxU4bS9N9sUR5nVXGXuR7shXmq_8spw?testcase_id=6080717147865088 <template id=target-template> <svg> <feFuncR class=target></template> <script src=../svg-attribute-interpolation/resources/interpolation-test.js></script> <script> assertAttributeInterpolation({ property: 'amplitude', from: neutralKeyframe, to: '65386'}, [ { is: 6677478477604165027902943687621673364418956426463191372489307581782199}]); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 20 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by f...@opera.com
, Dec 19 2016Owner: f...@opera.com