New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 708165 link

Starred by 1 user
Status: Fixed
Owner:
fs...@chromium.org
Closed: Apr 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::BaseRenderingContext2D::getImageData

Project Member Reported by ClusterFuzz, Apr 4 2017

Comment 1 by msrchandra@chromium.org, Apr 4 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-59
Owner: fs...@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: fserb
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5aae822c218a67b706125e9620290026d523d629
Time: Mon Apr 03 16:50:23 2017
Lines 1531, 1576-1577 of file BaseRenderingContext2D.cpp which potentially caused crash are changed in this cl (frame #0, "blink::BaseRenderingContext2D::getImageData").
Minimum distance from crash line to modified line: 0. (file: BaseRenderingContext2D.cpp, crashed on: 1576, modified: 1576).

@fserb -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by superman...@gmail.com, Apr 4 2017

aHR0cDovL3pqLmRjeXMua3Ntb2JpbGUuY29tL2xvZ28vMjAxNC8wNS8yMS8vMTQwMDY0NDMwMV81MDM1NC5wbmc=.png
7.2 KB View Download
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27458c3a4574379467168add07d7e6d7bf40c95d

commit 27458c3a4574379467168add07d7e6d7bf40c95d
Author: fserb <fserb@chromium.org>
Date: Fri Apr 07 20:34:18 2017

Prevent integer overlow on getImageData

BUG= 708165 , 708044 , 708961 

Review-Url: https://codereview.chromium.org/2797333002
Cr-Commit-Position: refs/heads/master@{#462989}

[modify] https://crrev.com/27458c3a4574379467168add07d7e6d7bf40c95d/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

Comment 4 by fs...@chromium.org, Apr 7 2017

Components: Blink>Canvas
Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Apr 8 2017 

ClusterFuzz has detected this issue as fixed in range 462974:462994.

Detailed report: https://clusterfuzz.com/testcase?key=6257677991936000

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::BaseRenderingContext2D::getImageData
  getImageDataMethod
  blink::V8CanvasRenderingContext2D::getImageDataMethodCallback
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=461444:461460
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=462974:462994

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96TXvfqeUCbIJaE9UjhiosUx39UJWkBcv2Tx0SKgxISTSBZtpFQRzdH2TWP2zv7Ra2Em6nkhicKDaAPUVq7yRQ_w2yt_6jCUbQkwdTACKc4_N3X4QDK-TZda2x3-6dZcvXolSyHf4w50Bxz2k9BmzTqCVLsegaKLWtB7iLWCvXYgbe3nU5bWv51p3zV4jOZEJLLws-wzMeYccY8bp5hjerRX3jFD1yckJo9sZxIjdzdkQMy_7yryOC23cIy0ykD7Kz5lZQb9uo7P42j7-8cxtlkZGhtyHO79TvPQTtCgIPOT_FDVtnY46WR6q0mjuKa4f4aTwcq_DlS47P_os_0vgKqTN0PF37YFGZUAbXTS8CT8bGLzu6YTnLCSPozEaJPH4ojcbp72s1DhZZbA99rdvryZiL6wg?testcase_id=6257677991936000


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment