Integer-overflow in position_around_base |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5471279971565568 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: position_around_base position_cluster hb_ot_position Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=538214:538215 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5471279971565568 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 19
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f316d5f1b672a7bb0d726610392633ae0565b129 (Roll clang 324578:325667.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 20
,
Sep 20
behdad@, can you please triage this regression, unsure if this is even related to clang roll, seems unlikely.
,
Sep 20
Unlikely to be a regression. Has been flaky. I fixed one instance before: https://bugs.chromium.org/p/chromium/issues/detail?id=734820 Another two were marked verified: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5584 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3717 I'll take a look, but is not serious, and unlikely to be related to clang roll.
,
Sep 20
Looking at the test case, it looks like a real overflow. The test consists of over 500 stacking combining marks with a huge font size. Not sure we want to do anything about it.
,
Sep 20
,
Sep 20
Dominik, does Blink's Skia-HarfBuzz layer work in 16.16 fixed? Maybe we can change that to 24.8.
,
Oct 21
,
Oct 22
Behdad@, any more opinions on this? > does Blink's Skia-HarfBuzz layer work in 16.16 fixed? Do you mean the values that Blink passes to HarfBuzz from Skia? For which values? For variation axes? For advances? For most of the values, we use https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc?sq=package:chromium&dr=C&g=0&l=144 which is converting from float to hb_position_t using SkScalarToHbPosition()
,
Oct 27
ClusterFuzz has detected this issue as fixed in range 603031:603039. Detailed report: https://clusterfuzz.com/testcase?key=5471279971565568 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: position_around_base position_cluster hb_ot_position Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=538214:538215 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=603031:603039 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5471279971565568 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 27
ClusterFuzz testcase 5471279971565568 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Sep 19Labels: Test-Predator-Auto-Components