New issue
Advanced search Search tips

Issue 856873 link

Starred by 1 user
Status: WontFix
Owner:
kojii@chromium.org
Closed: Jul 11
Cc:
behdad@chromium.org
e...@chromium.org
drott@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in position_cluster

Project Member Reported by ClusterFuzz, Jun 27 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4739830937026560

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  position_cluster
  hb_ot_position
  hb_ot_shape_internal
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=497420:497430

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4739830937026560

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jun 27 2018

Components: Blink>Fonts
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 27 2018

Labels: Test-Predator-Auto-Owner
Owner: kojii@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/85b84a4d900effddac4b32e7774d23f51fd562e0 (Fix mid-word-break to handle grapheme clusters).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by kojii@chromium.org, Jun 27 2018

Cc: drott@chromium.org e...@chromium.org behdad@chromium.org
behdad@, eae@, drott@, could you advice?

It is overflowing in positioning marks. I think this is safe, no worry in terms of security etc., is WontFix appropriate?

.../hb-ot-shape-fallback.cc:272:27: runtime error: signed integer overflow: -2147221504 + -720896 cannot be represented in type 'int'
 #0 0x55d63bb00783 in position_cluster(hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*, unsigned int, unsigned int) third_party/harfbuzz-ng/src/src/hb-ot-shape-fallback.cc
 #1 0x55d63bb097ee in hb_ot_position third_party/harfbuzz-ng/src/src/hb-ot-shape.cc:779:5
 #2 0x55d63bb097ee in hb_ot_shape_internal(hb_ot_shape_context_t*) third_party/harfbuzz-ng/src/src/hb-ot-shape.cc:862
 #3 0x55d63bb062e2 in _hb_ot_shape third_party/harfbuzz-ng/src/src/hb-ot-shape.cc:889:3
 #4 0x55d63bb10394 in hb_shape_plan_execute third_party/harfbuzz-ng/src/src/hb-shaper-list.hh:43:1
 #5 0x55d63bb10f72 in hb_shape_full third_party/harfbuzz-ng/src/src/hb-shape.cc:132:19
 #6 0x55d645721c77 in ShapeRange third_party/blink/renderer/platform/fonts/shaping/harf_buzz_shaper.cc:242:3

Comment 4 by behdad@google.com, Jun 27 2018 

It's definitely safe. I'll take a look later.  I thought I fixed this one.

Comment 5 Deleted

Comment 6 Deleted

Comment 7 by behdad@google.com, Jun 30 2018 

Commented on wrong bug; deleting irrelevant comments.
Project Member

Comment 8 by ClusterFuzz, Jul 3

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 4739830937026560 appears to be flaky, updating reproducibility label.
Project Member

Comment 9 by ClusterFuzz, Jul 11

Status: WontFix (was: Assigned)
ClusterFuzz testcase 4739830937026560 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment