New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686412 link

Starred by 3 users
Status: WontFix
Owner:
reed@google.com
Closed: Oct 2017
Cc:
reed@chromium.org
liyuqian@chromium.org
ifratric@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in walk_convex_edges

Project Member Reported by ClusterFuzz, Jan 28 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5303323923316736

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  walk_convex_edges
  sk_fill_path
  SkScan::FillPath
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=398502:398570

Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96y6DW3MjhvcWllf8-emozqjRnspOUte6-rFDmVgCINMSo73MoZTlzz11MVTlDTLxEm8ZCNm220Z3HmZZ_UPYlMHeX6QHwv45S4pC2BZ6hQFCQnXU2ymCYZSsNyQfkrw9d6HvPkH2O2htCL6Lk2eKaQq2AwXQ?testcase_id=5303323923316736

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Feb 2 2017

Cc: caryclark@chromium.org liyuqian@chromium.org reed@chromium.org
Components: Internals>Skia
Labels: Test-Predator-Wrong M-56

Comment 2 by liyuqian@google.com, Feb 2 2017

Owner: caryclark@google.com
Please see https://skia-review.googlesource.com/c/7945/ for the unit test to reproduce this problem. This problem is more related to quad/conic than AA as the unit test is in non-AA mode.

Comment 3 by caryclark@google.com, Feb 2 2017

Cc: -caryclark@chromium.org
Owner: ----
Status: Available (was: Untriaged)
I've heard conflicting opinions about how the team should handle integer-overflow.
 
I have no interest in working on this.

Comment 4 by reed@chromium.org, Feb 2 2017

Owner: reed@google.com

Comment 5 by reed@chromium.org, Feb 2 2017 

            do {
                int L = SkFixedRoundToInt(left);
                int R = SkFixedRoundToInt(rite);
                if (L < R) {
                    blitter->blitH(L, local_top, R - L);
                }
                left += dLeft;
                rite += dRite;
                local_top += 1;
            } while (--count >= 0);

I posit that count might be zero when this overflow happens...

Comment 6 by liyuqian@google.com, Feb 2 2017 

Correct, if I remember correctly, count == 0 and fCurveCount ==  7.
Project Member

Comment 7 by ClusterFuzz, Jul 30 2017 

Detailed report: https://clusterfuzz.com/testcase?key=6016465059971072

Job Type: linux_ubsan_chrome
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  walk_convex_edges
  sk_fill_path
  SkScan::FillPath
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6016465059971072


See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 8 by ClusterFuzz, Jul 30 2017 

Detailed report: https://clusterfuzz.com/testcase?key=6016465059971072

Job Type: linux_ubsan_chrome
Crash Type: Integer-overflow
Crash Address: 
Crash State:
  walk_convex_edges
  sk_fill_path
  SkScan::FillPath
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=398502:398570

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6016465059971072


See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 9 by ClusterFuzz, Oct 12 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 6016465059971072 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment