New issue
Advanced search Search tips

Issue 846010 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Integer-overflow in SkPerlinNoiseShaderImpl::PaintingData::stitch

Project Member Reported by ClusterFuzz, May 23 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5922884325998592

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkPerlinNoiseShaderImpl::PaintingData::stitch
  SkPerlinNoiseShaderImpl::PaintingData::PaintingData
  std::__1::unique_ptr<SkPerlinNoiseShaderImpl::PaintingData, std::__1::default_de
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=555640:555648

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5922884325998592

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 23 2018

Components: Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, May 23 2018

Cc: enne@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 3 by enne@chromium.org, Jun 5 2018

Cc: infe...@chromium.org
Labels: -Pri-2 Pri-3
Owner: fmalita@chromium.org
Status: Assigned (was: Untriaged)
Assigning this integer overflow to fmalita for triage.

Values:
  tileHeight 1048576.000000
  freq 604462909807314587353088.000000
  height 2147483520 (converted to int)
  height + kPerlinNoise overflows

There are other parts of this file that also look like they will integer overflow, and I'm not sure how to handle this myself.

I'm not sure how important of an issue this is.  I don't think this would block oop-r shipping.
Cc: kjlubick@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 6 2018

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/102c8cf26e2886ba783a2b54827e1f5d1cf0a774

commit 102c8cf26e2886ba783a2b54827e1f5d1cf0a774
Author: Florin Malita <fmalita@chromium.org>
Date: Wed Jun 06 13:02:56 2018

Harden SkPerlinNoiseShader StitchData initialization

... to ensure fWrap{X,Y} don't overflow int.

Bug:  chromium:846010 ,  oss-fuzz:8377 
Change-Id: I7cf082e388002ad5f8a6c62bad92f998fe831385
Reviewed-on: https://skia-review.googlesource.com/132222
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>

[modify] https://crrev.com/102c8cf26e2886ba783a2b54827e1f5d1cf0a774/src/shaders/SkPerlinNoiseShader.cpp

Project Member

Comment 6 by bugdroid1@chromium.org, Jun 6 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b34141f7b3d0424af66932d308e76a8185108306

commit b34141f7b3d0424af66932d308e76a8185108306
Author: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Wed Jun 06 19:44:31 2018

Roll src/third_party/skia c27967f..f454bd3 (7 commits)

https://skia.googlesource.com/skia.git/+log/c27967f..f454bd3


git log c27967f..f454bd3 --date=short --no-merges --format='%ad %ae %s'
2018-06-06 mtklein@chromium.org rm TestConfigParsing
2018-06-06 senorblanco@chromium.org GrTessellator: yet another out-of-range splitting fix.
2018-06-06 fmalita@chromium.org Build skottie_tool on Linux only
2018-06-06 kjlubick@google.com Add fuzzer option for Blur w/o occluder
2018-06-06 halcanary@google.com Revert "Have draw(Text|PosText|PosTextH) use a single entry on the device"
2018-06-06 fmalita@chromium.org Harden SkPerlinNoiseShader StitchData initialization
2018-06-06 caryclark@skia.org work around  bug 8051 


Created with:
  gclient setdep -r src/third_party/skia@f454bd3

The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:846014 , chromium:846010 
TBR=halcanary@chromium.org

Change-Id: I131a101b1c9cdb346382716f685d65766994e5c3
Reviewed-on: https://chromium-review.googlesource.com/1089174
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#565005}
[modify] https://crrev.com/b34141f7b3d0424af66932d308e76a8185108306/DEPS

Project Member

Comment 7 by ClusterFuzz, Jun 7 2018

ClusterFuzz has detected this issue as fixed in range 565000:565016.

Detailed report: https://clusterfuzz.com/testcase?key=5922884325998592

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  SkPerlinNoiseShaderImpl::PaintingData::stitch
  SkPerlinNoiseShaderImpl::PaintingData::PaintingData
  std::__1::unique_ptr<SkPerlinNoiseShaderImpl::PaintingData, std::__1::default_de
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=555640:555648
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=565000:565016

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5922884325998592

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jun 7 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5922884325998592 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment