Float-cast-overflow in blink::BaseRenderingContext2D::IsPointInPathInternal |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4896364010668032 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::BaseRenderingContext2D::IsPointInPathInternal blink::CanvasRenderingContext2DV8Internal::isPointInPath1Method v8::internal::FunctionCallbackArguments::Call Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4896364010668032 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 25 2018
,
Apr 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b88abf494b5c52e22e54a1318584f1335d41e98c commit b88abf494b5c52e22e54a1318584f1335d41e98c Author: Reza.Zakerinasab <zakerinasab@chromium.org> Date: Thu Apr 26 19:20:07 2018 Fix float cast overflow in canvas Canvas API use double parameters in IDL entry points, but many utility functions and objects in Blink use SkScalar, which is equal to float. This results in float cast overflows when the input double param is casted to a SkScalar. This CL fixes this by clamping the input params from double to float beforehand. Bug: 836931 , 836840 , 836708 , 836685 , 836638 Change-Id: I250c2d1dfc4a60916dee9843c36a5a3a513e7912 Reviewed-on: https://chromium-review.googlesource.com/1030615 Reviewed-by: Justin Novosad <junov@chromium.org> Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Cr-Commit-Position: refs/heads/master@{#554114} [modify] https://crrev.com/b88abf494b5c52e22e54a1318584f1335d41e98c/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc [modify] https://crrev.com/b88abf494b5c52e22e54a1318584f1335d41e98c/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.cc [modify] https://crrev.com/b88abf494b5c52e22e54a1318584f1335d41e98c/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d_state.cc [modify] https://crrev.com/b88abf494b5c52e22e54a1318584f1335d41e98c/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d_state.h
,
Apr 27 2018
ClusterFuzz has detected this issue as fixed in range 554111:554115. Detailed report: https://clusterfuzz.com/testcase?key=4896364010668032 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Float-cast-overflow Crash Address: Crash State: blink::BaseRenderingContext2D::IsPointInPathInternal blink::CanvasRenderingContext2DV8Internal::isPointInPath1Method v8::internal::FunctionCallbackArguments::Call Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=554111:554115 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4896364010668032 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 27 2018
ClusterFuzz testcase 4896364010668032 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Apr 25 2018Labels: Test-Predator-Auto-Components