blink: Don't call std::isfinite(double) then cast to float |
||||
Issue description
Consider the following code in blink::BaseRenderingContext2D::drawImage
void BaseRenderingContext2D::drawImage(ExecutionContext* executionContext,
CanvasImageSource* imageSource,
double sx,
double sy,
double sw,
double sh,
double dx,
double dy,
double dw,
double dh,
ExceptionState& exceptionState) {
...
if (!std::isfinite(dx) || !std::isfinite(dy) || !std::isfinite(dw) ||
!std::isfinite(dh) || !std::isfinite(sx) || !std::isfinite(sy) ||
!std::isfinite(sw) || !std::isfinite(sh) || !dw || !dh || !sw || !sh)
return;
...
FloatRect srcRect = normalizeRect(FloatRect(sx, sy, sw, sh));
The std::isfinite calls aren't particularly helpful, since it's for a double, and we're using the result as a float.
This came up because issue 675123 was misattributed to me. Mass-replacing with "IsFiniteFloat" fixes that instance (a la https://codereview.chromium.org/2595973002/), but there are ~90 bugs all hitting the same issue, so a one-off fix isn't the way to go.
https://bugs.chromium.org/p/chromium/issues/list?can=2&q=%22Float-cast-overflow%22&x=m&y=releaseblock&cells=ids
,
Dec 21 2016
,
Dec 21 2016
,
Dec 21 2016
Un-assigning myself from this. Triage should stop randomly assigning these new sanitizer bugs to owners.
,
Dec 21 2016
Looks like junov added this particular code in https://codereview.chromium.org/181693006
,
Dec 22 2016
ClusterFuzz testcase 4748542511153152 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ccameron@chromium.org
, Dec 21 2016