Integer-overflow in blink::IntRect::MaxY |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5127208704933888 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::MaxY blink::LocalFrameView::RecordDeferredLoadingStats blink::LocalFrameView::UpdateViewportIntersectionsForSubtree Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=549059:549062 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5127208704933888 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 15 2018
This issue looks similar to bug 831461 , hence cc'ing to szager@ for more updates. szager@@ Would you mind taking a look in to this issue? Thanks!
,
May 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/30e13fedc89b7dc4c43e97b8e40407a2b58ea571 commit 30e13fedc89b7dc4c43e97b8e40407a2b58ea571 Author: Stefan Zager <szager@chromium.org> Date: Tue May 15 22:06:55 2018 Clamp size+location of LocalFrameView::frame_rect_. It makes no sense to allow a frame_rect with overflowing max coordinates. This doesn't come up in actual pages, but it is a source of annoying fuzzer bugs. R=skobes@chromium.org,bokan@chromium.org BUG= 842417 Change-Id: I5b1435f5972b160fbf5f1daaf4bae7ef00748608 Reviewed-on: https://chromium-review.googlesource.com/1060027 Reviewed-by: Steve Kobes <skobes@chromium.org> Reviewed-by: David Bokan <bokan@chromium.org> Commit-Queue: Stefan Zager <szager@chromium.org> Cr-Commit-Position: refs/heads/master@{#558854} [modify] https://crrev.com/30e13fedc89b7dc4c43e97b8e40407a2b58ea571/third_party/blink/renderer/core/frame/local_frame_view.cc [modify] https://crrev.com/30e13fedc89b7dc4c43e97b8e40407a2b58ea571/third_party/blink/renderer/platform/geometry/int_rect.h
,
May 16 2018
ClusterFuzz has detected this issue as fixed in range 558852:558859. Detailed report: https://clusterfuzz.com/testcase?key=5127208704933888 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::MaxY blink::LocalFrameView::RecordDeferredLoadingStats blink::LocalFrameView::UpdateViewportIntersectionsForSubtree Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=549059:549062 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=558852:558859 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5127208704933888 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 16 2018
ClusterFuzz testcase 5127208704933888 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, May 12 2018Labels: Test-Predator-Auto-Components