This triggers in a path that's only used for tests. Still, it shouldn't trigger because we should be testing for overflow before we get there. Investigating.

Well, so what happens is that HandleTexImage3D is called with an invalid enum, width & height within reason (512) and a large depth (such that width*height*depth overflows). However format and type are invalid. What happens is that format and type are validated later (in TextureManager::ValidateAndDoTexImage), but before they are validated, we go into ComputeImageDataSizesES3, which tries to compute the size of the data (so that we can validate shm / pbo). But because format and type are invalid, we compute a size-per-pixel of 0 (falling through default cases of BytesPerElement and ElementsPerGroup) and so computations in ComputeImageDataSizesES3 don't overflow.
Note, this is true as well of HandleTexImage2D.

I think the right way to solve this is to validate enums (and parameters in general) before trying to do ComputeImageDataSizesES3, so that we only compute meaningful things. It might even make sense to combine enum validation with looking up size-per-pixel to avoid redundant switches/lookups.


That said, the production code should be ok as is, in that the path that could overflows is never taken.

 Issue 844208  has been merged into this issue.

ClusterFuzz testcase 6721400619139072 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 566149:566173.

Detailed report: https://clusterfuzz.com/testcase?key=6121905714364416

Fuzzer: libFuzzer_gpu_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gpu::gles2::GLES2DecoderImpl::HandleTexImage3D
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  gpu::CommandBufferService::Flush
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=512673:512693
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=566149:566173

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6121905714364416

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.