New issue
Advanced search Search tips

Issue 676137 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::SVGSMILElement::calculateAnimationPercentAndRepeat

Project Member Reported by ClusterFuzz, Dec 20 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4672077060898816

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::SVGSMILElement::calculateAnimationPercentAndRepeat
  blink::SVGSMILElement::progress
  blink::SMILTimeContainer::updateAnimations
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=438151:438157

Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ygltPOo3PTk_2uATBdYFOnr_6C3vjtqWcJoBH89L80mbklzGlkVEK_Zjw_uRx2YWYPpyIXJi_G6_nBvgscV7wDvitwDAsvdLroaKlXO375Yx-hDu_YLROa2RHsuAqKjlajHiUzhsIvTYAWG9eTOJeZL_Kjg?testcase_id=4672077060898816

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by f...@opera.com, Dec 21 2016

Labels: -Pri-2 Pri-3
Owner: f...@opera.com
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by bugdroid1@chromium.org, Dec 21 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e

commit d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e
Author: fs <fs@opera.com>
Date: Wed Dec 21 19:11:53 2016

Improve separation between "SMIL times" and timestamps

The 'elapsed' time does not need to be a SMILTime in general - it can
only be non-finite in the case where the document is not active, and
then the timeline should not be running/animations updated.
Thread the double value further from SMILTimeContainer down into
SVGSMILElement. Simplify some computations.

BUG=641437, 676137 

Review-Url: https://codereview.chromium.org/2592103002
Cr-Commit-Position: refs/heads/master@{#440171}

[modify] https://crrev.com/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp
[modify] https://crrev.com/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.h

Project Member

Comment 3 by ClusterFuzz, Dec 22 2016

ClusterFuzz has detected this issue as fixed in range 440242:440280.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4672077060898816

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::SVGSMILElement::calculateAnimationPercentAndRepeat
  blink::SVGSMILElement::progress
  blink::SMILTimeContainer::updateAnimations
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=438151:438157
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280

Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ygltPOo3PTk_2uATBdYFOnr_6C3vjtqWcJoBH89L80mbklzGlkVEK_Zjw_uRx2YWYPpyIXJi_G6_nBvgscV7wDvitwDAsvdLroaKlXO375Yx-hDu_YLROa2RHsuAqKjlajHiUzhsIvTYAWG9eTOJeZL_Kjg?testcase_id=4672077060898816

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Dec 22 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4672077060898816 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment