Issue metadata
Sign in to add a comment
|
Bad-cast to const DOMUint8ClampedArray' (aka 'const DOMTypedArray<WTF::Uint8ClampedArray, v8::Uint8ClampedArray>') from blink::DOMTypedArray<WTF::Uint16Array, v8::Uint16Array>;blink::ImageData::ImageData;blink::ImageData::createImageData |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6065508790304768 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x31493ee517d8 Crash State: Bad-cast to const DOMUint8ClampedArray' (aka 'const DOMTypedArray<WTF::Uint8ClampedArray, v8::Uint8ClampedArray>') from blink::DOMTypedArray<WTF::Uint16Array, v8::Uint16Array> blink::ImageData::ImageData blink::ImageData::createImageData Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=456626:457732 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96b3UjACD6RGIAa8LxYHAXvR_qmt1_E1XMBMTXtHHCTO1WnuswzXSkB0nD_mW9hDNXGi2kPs6VsA0JO7U-Qc8FsANDXGKYmHegHUNZ02JuJ032bm7AqvyCUxr1hygywruK_qUsi_eW0HSJzATVppxdkQeFtsOwpf856Lh2acRoEfgIfsw_yDyAEbjp60eXyxWuQ4vVPMmVFM0Zk4L65-tecDw_PIt__AQBvd6587gP5WLz5c8aJbarti5nzVzv-YUCAeTW0m-aN08thZaprMWefM6P2kcG_J-sxSCBG_cElKG6wD89zHjLBbY4CxKNXfcOW2k7dsAiKcbtZKlC_A1Vnk3NmZUP-HR1PYMsm-iZ-eVgO4yJZL-DkPPZSiLiAJjlwQNE6_4MnbD1eFzFmwVwoCA4CVA?testcase_id=6065508790304768 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 20 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 20 2017
,
Mar 20 2017
,
Mar 20 2017
,
Mar 21 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2017
Fix is ready. I'll commit it after getting lgtm.
,
Mar 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/03666b25531fd69b88fc2d6685d639cd893a79f0 commit 03666b25531fd69b88fc2d6685d639cd893a79f0 Author: zakerinasab <zakerinasab@chromium.org> Date: Tue Mar 21 19:19:20 2017 Fixing bad casting between DOMTypedArray objects Fixing bad casting between DOMTypeArray objects by overriding ImageDataColorSettings.ImageDataStorageFormat when external data array is provided. BUG= 702982 Review-Url: https://codereview.chromium.org/2759113003 Cr-Commit-Position: refs/heads/master@{#458504} [modify] https://crrev.com/03666b25531fd69b88fc2d6685d639cd893a79f0/third_party/WebKit/LayoutTests/fast/canvas/color-space/imageData-colorSpace.html [modify] https://crrev.com/03666b25531fd69b88fc2d6685d639cd893a79f0/third_party/WebKit/Source/core/html/ImageData.cpp [modify] https://crrev.com/03666b25531fd69b88fc2d6685d639cd893a79f0/third_party/WebKit/Source/core/html/ImageData.h
,
Mar 21 2017
,
Mar 22 2017
ClusterFuzz has detected this issue as fixed in range 458491:458507. Detailed report: https://clusterfuzz.com/testcase?key=6065508790304768 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x31493ee517d8 Crash State: Bad-cast to const DOMUint8ClampedArray' (aka 'const DOMTypedArray<WTF::Uint8ClampedArray, v8::Uint8ClampedArray>') from blink::DOMTypedArray<WTF::Uint16Array, v8::Uint16Array> blink::ImageData::ImageData blink::ImageData::createImageData Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=456626:457732 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=458491:458507 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96b3UjACD6RGIAa8LxYHAXvR_qmt1_E1XMBMTXtHHCTO1WnuswzXSkB0nD_mW9hDNXGi2kPs6VsA0JO7U-Qc8FsANDXGKYmHegHUNZ02JuJ032bm7AqvyCUxr1hygywruK_qUsi_eW0HSJzATVppxdkQeFtsOwpf856Lh2acRoEfgIfsw_yDyAEbjp60eXyxWuQ4vVPMmVFM0Zk4L65-tecDw_PIt__AQBvd6587gP5WLz5c8aJbarti5nzVzv-YUCAeTW0m-aN08thZaprMWefM6P2kcG_J-sxSCBG_cElKG6wD89zHjLBbY4CxKNXfcOW2k7dsAiKcbtZKlC_A1Vnk3NmZUP-HR1PYMsm-iZ-eVgO4yJZL-DkPPZSiLiAJjlwQNE6_4MnbD1eFzFmwVwoCA4CVA?testcase_id=6065508790304768 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2017
,
Apr 7 2017
,
Jun 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 27 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 20 2017