Float-cast-overflow in blink::SVGSMILElement::calculateAnimationPercentAndRepeat |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4672077060898816 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGSMILElement::calculateAnimationPercentAndRepeat blink::SVGSMILElement::progress blink::SMILTimeContainer::updateAnimations Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=438151:438157 Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ygltPOo3PTk_2uATBdYFOnr_6C3vjtqWcJoBH89L80mbklzGlkVEK_Zjw_uRx2YWYPpyIXJi_G6_nBvgscV7wDvitwDAsvdLroaKlXO375Yx-hDu_YLROa2RHsuAqKjlajHiUzhsIvTYAWG9eTOJeZL_Kjg?testcase_id=4672077060898816 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e commit d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e Author: fs <fs@opera.com> Date: Wed Dec 21 19:11:53 2016 Improve separation between "SMIL times" and timestamps The 'elapsed' time does not need to be a SMILTime in general - it can only be non-finite in the case where the document is not active, and then the timeline should not be running/animations updated. Thread the double value further from SMILTimeContainer down into SVGSMILElement. Simplify some computations. BUG=641437, 676137 Review-Url: https://codereview.chromium.org/2592103002 Cr-Commit-Position: refs/heads/master@{#440171} [modify] https://crrev.com/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp [modify] https://crrev.com/d6b6ebf86773fcafd3ce6cdc6fe7ef7d14bae91e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.h
,
Dec 22 2016
ClusterFuzz has detected this issue as fixed in range 440242:440280. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4672077060898816 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::SVGSMILElement::calculateAnimationPercentAndRepeat blink::SVGSMILElement::progress blink::SMILTimeContainer::updateAnimations Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=438151:438157 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280 Minimized Testcase (0.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ygltPOo3PTk_2uATBdYFOnr_6C3vjtqWcJoBH89L80mbklzGlkVEK_Zjw_uRx2YWYPpyIXJi_G6_nBvgscV7wDvitwDAsvdLroaKlXO375Yx-hDu_YLROa2RHsuAqKjlajHiUzhsIvTYAWG9eTOJeZL_Kjg?testcase_id=4672077060898816 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 22 2016
ClusterFuzz testcase 4672077060898816 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by f...@opera.com
, Dec 21 2016Owner: f...@opera.com
Status: Assigned (was: Untriaged)