New issue
Advanced search Search tips

Issue 836941 link

Starred by 1 user
Status: Verified
Owner:
cnardi@chromium.org
Closed: Apr 2018
Cc:
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::CSSPropertyParserHelpers::ClampRGBComponent

Project Member Reported by ClusterFuzz, Apr 25 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6211572519927808

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSPropertyParserHelpers::ClampRGBComponent
  ParseRGBParameters
  ParseColorFunction
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6211572519927808

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 25 2018

Components: Blink>CSS
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by cnardi@chromium.org, Apr 25 2018

Owner: cnardi@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 26 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e978753549a1836c7498f06e2c7156a4b885515

commit 5e978753549a1836c7498f06e2c7156a4b885515
Author: Chris Nardi <cnardi@chromium.org>
Date: Thu Apr 26 13:45:25 2018

Audit uses of floats and float rounding in color parsing

Our use of roundf on a double lead to the possibility of undefined
behavior if the value was outside the representable range of a float.
Also take this opportunity to audit existing usage of floats/float
rounding in color parsing code, as everything is originally parsed as a
double so no floats should be needed.

Bug:  836941 
Change-Id: If4cc7f6949de9ba4cf279093124afd710b42024b
Reviewed-on: https://chromium-review.googlesource.com/1028830
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Chris Nardi <cnardi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554011}
[modify] https://crrev.com/5e978753549a1836c7498f06e2c7156a4b885515/third_party/blink/renderer/core/css/parser/css_parser_fast_paths.cc
[modify] https://crrev.com/5e978753549a1836c7498f06e2c7156a4b885515/third_party/blink/renderer/core/css/parser/css_property_parser_helpers.cc

Comment 4 by cnardi@chromium.org, Apr 26 2018

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Apr 27 2018 

ClusterFuzz has detected this issue as fixed in range 554005:554011.

Detailed report: https://clusterfuzz.com/testcase?key=6211572519927808

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSPropertyParserHelpers::ClampRGBComponent
  ParseRGBParameters
  ParseColorFunction
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=552707:552711
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=554005:554011

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6211572519927808

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Apr 27 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6211572519927808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment