New issue
Advanced search Search tips

Issue 923257 link

Starred by 1 user
Status: Started
Owner:
juanmihd@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::CanvasRenderingContextHost::RecordCanvasSizeToUMA

Project Member Reported by ClusterFuzz, Jan 18 (4 days ago) 
Detailed report: https://clusterfuzz.com/testcase?key=4710440152203264

Fuzzer: jesse_avalanche
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::CanvasRenderingContextHost::RecordCanvasSizeToUMA
  blink::HTMLCanvasElement::FinalizeFrame
  blink::CanvasRenderingContext::DidProcessTask
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=623713:623723

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4710440152203264

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
Project Member

Comment 1 by ClusterFuzz, Jan 18 (4 days ago)

Components: Blink>Canvas
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 18 (4 days ago)

Labels: Test-Predator-Auto-Owner
Owner: fs...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1af1a2bb4f3c299563fa03275a09d2cc8ddb130e (Record Canvas sizes on first draw).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by juanmihd@chromium.org, Jan 18 (4 days ago)

Owner: juanmihd@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Today (12 hours ago) 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c5ce0fbf4c1be4fac693d0a2589b36931b2cc73f

commit c5ce0fbf4c1be4fac693d0a2589b36931b2cc73f
Author: juanmihd <juanmihd@chromium.org>
Date: Tue Jan 22 17:39:11 2019

Safe calculation of sqrt of number of pixel for RecordCanvasSizeToUMA

Using size.Area() to calculate the sarea of the size to avoid overflow
errors it returns uint64_t and to use functions that already do that
(instead of reimplementing them).

Bug: 923257
Change-Id: I5e8d329711d66f322ea76df745f5cbbb8b9d25cb
Reviewed-on: https://chromium-review.googlesource.com/c/1422524
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Commit-Queue: Juanmi Huertas <juanmihd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#624820}
[modify] https://crrev.com/c5ce0fbf4c1be4fac693d0a2589b36931b2cc73f/third_party/blink/renderer/core/html/canvas/canvas_rendering_context_host.cc

Sign in to add a comment