New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 708961 link

Starred by 1 user
Status: Fixed
Owner:
fs...@chromium.org
Closed: Apr 2017
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::BaseRenderingContext2D::putImageData

Project Member Reported by ClusterFuzz, Apr 6 2017

Comment 1 by msrchandra@chromium.org, Apr 6 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong M-59
Owner: fs...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "BaseRenderingContext2D.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/5aae822c218a67b706125e9620290026d523d629

@fserb -- Could you please look into the issue, kindly re-assign if it has nothing to do with your changes.
Thank You.
Project Member

Comment 2 by bugdroid1@chromium.org, Apr 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27458c3a4574379467168add07d7e6d7bf40c95d

commit 27458c3a4574379467168add07d7e6d7bf40c95d
Author: fserb <fserb@chromium.org>
Date: Fri Apr 07 20:34:18 2017

Prevent integer overlow on getImageData

BUG= 708165 , 708044 , 708961 

Review-Url: https://codereview.chromium.org/2797333002
Cr-Commit-Position: refs/heads/master@{#462989}

[modify] https://crrev.com/27458c3a4574379467168add07d7e6d7bf40c95d/third_party/WebKit/Source/modules/canvas2d/BaseRenderingContext2D.cpp

Comment 3 by fs...@chromium.org, Apr 7 2017

Components: Blink>Canvas
Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Apr 8 2017 

ClusterFuzz has detected this issue as fixed in range 462974:462994.

Detailed report: https://clusterfuzz.com/testcase?key=5626985666838528

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::BaseRenderingContext2D::putImageData
  putImageData2Method
  putImageDataMethod
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=461468:461491
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=462974:462994

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96-VPGR3tMGvYiL3w56w1X8objNdIxA3gaq9rkhra5Vr29D7-dmIaC75B9xRnfoIW9ir-4pYjqeDKX9SK5nz7sFjz0ir8O_--q85qXepoTXhp8-yJGBKcThDfhZi66oBlCqpoWlykostE6sk08M0DUczQE_l2uQ-aP66B7KIKMCSAqc7WuJMmROxnqu9nIipA-2ilgLVf0I2AiCvnSLzCUlmXjwRCc6cMPEtzukuE-CZfEVj0CpWAAkD2fsCue1kWwnV0j8uCWYpyw_MKWt7b10uI411KzAENPRO8UmDHqBe8tXJTIBAll09GZDSUF0PEV4QcKAf3cWZAL_sqKPPJQ29JcjaYenXXjviooLq1c58Y-xnfs?testcase_id=5626985666838528


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment