New issue
Advanced search Search tips

Issue 904872 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 14
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Float-cast-overflow in blink::CSSPrimitiveValue::Create

Project Member Reported by ClusterFuzz, Nov 13

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4533684314832896

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSPrimitiveValue::Create
  blink::ValueForMatrixTransform
  blink::ComputedStyleUtils::ComputedTransform
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4533684314832896

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 13

Components: Blink>CSS
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: tkent@chromium.org andruud@chromium.org kkaluri@chromium.org jbroman@chromium.org f...@opera.com
Labels: M-71 CF-NeedsTriage
Predator has provided 6 possible suspects 

1. Fix crash when setting aliases on computed style. by andruud@chromium.org
2. Replace unique_ptr<HashMap<>> with HashMap<> for CSS variable data. by jbroman@chromium.org
3. Fix Pi-related constants for Chromium C++ style. by tkent@chromium.org
4. Reland: "[CI] Convert SVG resources to use SVGResource" by fs@opera.com
5. [CI] Convert SVG resources to use SVGResource by fs@opera.com
6. Revert "[CI] Convert SVG resources to use SVGResource" by fs@opera.com

CC'ing the owners for further triage
Owner: futhark@chromium.org
Status: Started (was: Untriaged)
None of the suspected CLs look relevant.

I think I've seen this before - likely a NaN getting passed to CSSPrimitiveValue::Create (which does a static_cast<int>(...) IIRC.)
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/643f4512490bc82c35684c4adf99a5b959eb3405

commit 643f4512490bc82c35684c4adf99a5b959eb3405
Author: Rune Lillesveen <futhark@chromium.org>
Date: Wed Nov 14 10:43:28 2018

Clamp double to int instead of using static_cast.

Better overflow handling for CSSPrimitiveValue::Create.

Bug:  904872 
Change-Id: Ieafc28406497b4a676994efdc6515959549a7ba1
Reviewed-on: https://chromium-review.googlesource.com/c/1335527
Reviewed-by: Anders Ruud <andruud@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#607947}
[modify] https://crrev.com/643f4512490bc82c35684c4adf99a5b959eb3405/third_party/blink/renderer/core/css/css_primitive_value.cc

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Nov 15

ClusterFuzz has detected this issue as fixed in range 607946:607947.

Detailed report: https://clusterfuzz.com/testcase?key=4533684314832896

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::CSSPrimitiveValue::Create
  blink::ValueForMatrixTransform
  blink::ComputedStyleUtils::ComputedTransform
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=607946:607947

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4533684314832896

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Nov 15

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4533684314832896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment