Integer-overflow in Ins_MDRP |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5012931304751104 Fuzzer: libFuzzer_pdf_font_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: Ins_MDRP TT_RunIns tt_size_run_prep Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=483358:483512 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5012931304751104 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 21 2017
It appears this is a result of <freetype>/include/freetype/internal/ftobjs.h #define FT_ABS( a ) ( (a) < 0 ? -(a) : (a) )
,
Sep 21 2017
I've opened https://savannah.nongnu.org/bugs/index.php?52082 .
,
Sep 22 2017
Upstream has fixed. Verified that this testcase no longer reports any ubsan issues. Started roll of fix into Chromium at https://chromium-review.googlesource.com/c/chromium/src/+/678395 .
,
Sep 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/417bc010ada9067c2494bbd3148d3547f80009bc commit 417bc010ada9067c2494bbd3148d3547f80009bc Author: Ben Wagner <bungeman@chromium.org> Date: Mon Sep 25 15:34:41 2017 Roll src/third_party/freetype/src/ 1ad07c1c7..6f2b6f8f7 (14 commits) https://chromium.googlesource.com/chromium/src/third_party/freetype2.git/+log/1ad07c1c7984..6f2b6f8f72ff $ git log 1ad07c1c7..6f2b6f8f7 --date=short --no-merges --format='%ad %ae %s' 2017-09-24 wl Split off ChangeLog.27. 2017-09-24 jfkthame [sfnt] Fix `premultiply_data' (#52092). 2017-09-24 wl Minor. 2017-09-24 wl Fix handling of ValueRecords. 2017-09-24 wl [otvalid] Handle `GSUB' and `GPOS' v1.1 tables. 2017-09-23 wl [otvalid] Update common table handling to OpenType 1.8.2. 2017-09-23 apodtele [build] Windows-style DLL versioning. 2017-09-23 bungeman [truetype] Really fix #52082. 2017-09-23 wl [otvalid] Handle `GDEF' v1.2 and v1.3 tables. 2017-09-23 wl [otvalid] Handle `BASE' v1.1 table. 2017-09-22 wl [otvalid] Macros for 32bit offset support. 2017-09-22 wl [otvalid] Whitespace. 2017-09-21 apodtele [build] Simplify Visual C++ 2010 project. 2017-09-21 wl [truetype] Integer overflow (#52082). Created with: roll-dep src/third_party/freetype/src R=bungeman@chromium.org,drott@chromium.org BUG= chromium:753690 Change-Id: I1aafcf75c647bc2645c90360493b6bf22f023be4 Reviewed-on: https://chromium-review.googlesource.com/678395 Reviewed-by: Dominik Röttsches <drott@chromium.org> Commit-Queue: Ben Wagner <bungeman@chromium.org> Cr-Commit-Position: refs/heads/master@{#504062} [modify] https://crrev.com/417bc010ada9067c2494bbd3148d3547f80009bc/DEPS [modify] https://crrev.com/417bc010ada9067c2494bbd3148d3547f80009bc/third_party/freetype/README.chromium [modify] https://crrev.com/417bc010ada9067c2494bbd3148d3547f80009bc/third_party/freetype/roll-freetype.sh
,
Oct 4 2017
ClusterFuzz has detected this issue as fixed in range 502108:506092. Detailed report: https://clusterfuzz.com/testcase?key=5012931304751104 Fuzzer: libFuzzer_pdf_font_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: Ins_MDRP TT_RunIns tt_size_run_prep Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=483358:483512 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=502108:506092 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5012931304751104 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 4 2017
ClusterFuzz testcase 5012931304751104 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by msrchandra@chromium.org
, Sep 13 2017Labels: M-63 Test-Predator-Wrong-CLs
Owner: bunge...@chromium.org
Status: Assigned (was: Untriaged)