New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 693873 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Mar 2017
Cc:
pdr@chromium.org
wangxianzhu@chromium.org
mummare...@chromium.org
msrchandra@chromium.org
wkorman@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::inflateX

Project Member Reported by ClusterFuzz, Feb 18 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6353961885106176

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::inflateX
  inflate
  paintComplexOutline
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94QEeV4iII3F_ci4F56JiVovULagFedMb1DK9CQySkVxGkl_Tc0Zp9WPTfGJ-86upPffWWTeRP-3ZObD8_ifYkRrWkmVCKviMsTioUuLZOVoYMCYA3VEGYXX-IYsmtgDbM1tm14WqWtHiVSGt4EJcbjgL5r7g?testcase_id=6353961885106176


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Feb 20 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong
Owner: ka...@opera.com
Status: Assigned (was: Untriaged)
Predator and CL did not find any possible suspects.
Using Code Search for the file, "TextControlElement.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/934becac5daa91ea979fb66e4ae21761ca11ebc9

@karlo -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by ka...@opera.com, Mar 10 2017 

I'm not really sure what to fix here, the issue appears to have been there before my patch?  Also, the testcase doesn't actually reproduce the callstack described in the report.  This looks invalid to me.

Comment 3 by ka...@opera.com, Mar 13 2017

Owner: msrchandra@chromium.org

Comment 4 by msrchandra@chromium.org, Mar 21 2017

Labels: Needs-triage
Owner: ----
Status: Untriaged (was: Assigned)

Comment 5 by mummare...@chromium.org, Mar 31 2017

Cc: pdr@chromium.org wangxianzhu@chromium.org wkorman@chromium.org mummare...@chromium.org
Components: Blink>Paint
Could someone please take a look and close if it is not feasible?.
Thank you

Comment 6 by wangxianzhu@chromium.org, Mar 31 2017

Status: WontFix (was: Untriaged)
For now we don't check for overflow of integer geometry. This doesn't have any security issue.

Comment 7 by schenney@chromium.org, Mar 31 2017

Labels: PaintTeamTriaged-20170331 BugSource-Chromium

Sign in to add a comment