Float-cast-overflow in blink::SizesAttributeParser::effectiveSizeDefaultValue |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6553331775569920 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SizesAttributeParser::effectiveSizeDefaultValue blink::SizesAttributeParser::length blink::TokenPreloadScanner::StartTagScanner::StartTagScanner Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zr5CaBJAaagJdE2aFfuPL_BI50nm5Erz7CYy75vqiQPfg0NUbwuSR4dmAXWAkSdaEfrKSZqYO8tncVrQJ9bmAeGoEZ5xtkkL0GQzV7wWAfYcT6k42xCUeZJsyi3zHURp0PBUD1X9HZRZX6ci0ULzFNlsUMQ?testcase_id=6553331775569920 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 21 2016
+ yoav@yoav.ws apparent author of SizesAttributeParser. There's some funny stuff about double->unsigned->float conversions with effectiveSizeDefaultValue that I don't understand, maybe yoav@ can comment.
,
Dec 21 2016
Definitely something funny about those conversions, don't remember the unsigned stuff as intentional (and it definitely shouldn't have been implicit if it is :/) I don't have access to the repro though. Could you sent me the minimized testcase?
,
Dec 22 2016
ClusterFuzz has detected this issue as fixed in range 440242:440280. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6553331775569920 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SizesAttributeParser::effectiveSizeDefaultValue blink::SizesAttributeParser::length blink::TokenPreloadScanner::StartTagScanner::StartTagScanner Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280 Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zr5CaBJAaagJdE2aFfuPL_BI50nm5Erz7CYy75vqiQPfg0NUbwuSR4dmAXWAkSdaEfrKSZqYO8tncVrQJ9bmAeGoEZ5xtkkL0GQzV7wWAfYcT6k42xCUeZJsyi3zHURp0PBUD1X9HZRZX6ci0ULzFNlsUMQ?testcase_id=6553331775569920 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 22 2016
ClusterFuzz testcase 6553331775569920 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 22 2016
Sent the testcase offline.
,
Dec 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5 commit 12e5afd8b8cca061b9a11fdaccb4bd198cb772b5 Author: yoav <yoav@yoav.ws> Date: Thu Dec 22 13:41:16 2016 Return sizes' default effective size as float As pointed out in the issue, the default effective size is converted from double to unsigned to float for no good reason. his CL makes sure there's a single explicit (clamped) conversion from double to float. BUG= 675204 Review-Url: https://codereview.chromium.org/2596203002 Cr-Commit-Position: refs/heads/master@{#440404} [modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParser.cpp [modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParser.h [modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParserTest.cpp |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Dec 17 2016Components: Blink>HTML>Parser
Labels: Test-Predator-Correct M-57