Integer-overflow in blink::RecordingImageBufferSurface::DidDraw |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5327466171465728 Fuzzer: inferno_twister_c Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::RecordingImageBufferSurface::DidDraw blink::HTMLCanvasElement::DidDraw blink::CanvasRenderingContext::DidDraw Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=482716:482739 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5327466171465728 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 11 2017
ClusterFuzz has detected this issue as fixed in range 485366:485396. Detailed report: https://clusterfuzz.com/testcase?key=5327466171465728 Fuzzer: inferno_twister_c Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::RecordingImageBufferSurface::DidDraw blink::HTMLCanvasElement::DidDraw blink::CanvasRenderingContext::DidDraw Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=482716:482739 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=485366:485396 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5327466171465728 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 11 2017
ClusterFuzz testcase 5327466171465728 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 11 2017
Re-opening. Bug is not really fix. Code is still written in a way that is susceptible to overflow.
,
Jul 11 2017
,
Jul 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/933bab4b0fc11be16e657d2ac1f53e92615a58aa commit 933bab4b0fc11be16e657d2ac1f53e92615a58aa Author: Justin Novosad <junov@chromium.org> Date: Fri Jul 14 01:20:16 2017 Make RecordingImageBufferSurface robust to int overflows BUG= 737448 Change-Id: I493919ce2ed8c4263b6b54684243b54bd38a2120 Reviewed-on: https://chromium-review.googlesource.com/567107 Reviewed-by: Fernando Serboncini <fserb@chromium.org> Commit-Queue: Justin Novosad <junov@chromium.org> Cr-Commit-Position: refs/heads/master@{#486596} [modify] https://crrev.com/933bab4b0fc11be16e657d2ac1f53e92615a58aa/third_party/WebKit/Source/platform/graphics/RecordingImageBufferSurface.cpp
,
Jul 14 2017
Seems fixed now - Chromium: 485366:485396 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Jun 28 2017Components: Blink>HTML
Labels: M-61 Test-Predator-Wrong-CLs
Owner: junov@chromium.org
Status: Assigned (was: Untriaged)