Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: timloh@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/028e8f6c204380d650c96cb4780847c9bcd41d77
Time: Tue Jan 13 04:39:53 2015
The CL last changed line 715 of file CSSSelectorParser.cpp, which is stack frame 0.

Author: esprehn@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e356f4be77e9854a5f03a538c552df76d2e75234
Time: Sat May 23 03:14:54 2015
The CL last changed line 557 of file CSSSelectorParser.cpp, which is stack frame 1.

Author: timloh@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c0cb3af24f1ab1e2fae241959d78bcd89a240182
Time: Mon Jan 12 23:19:45 2015
The CL last changed line 350 of file CSSSelectorParser.cpp, which is stack frame 2.

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 308 of file CSSSelectorParser.cpp, which is stack frame 3.

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 178 of file CSSSelectorParser.cpp, which is stack frame 4.

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 110 of file CSSSelectorParser.cpp, which is stack frame 5.

Author: kouhei
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/489a856dea190679b1f72e9640f048732651338b
Time: Thu Dec 17 07:52:48 2015
The CL last changed line 93 of file CSSSelectorParser.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>CSS

Possible suspect : https://chromium.googlesource.com/chromium/src//+/028e8f6c204380d650c96cb4780847c9bcd41d77

Please reassign if this is not related to your change.

Someone from the style team should triage this. It's not clear to me if fixing crazy big integers in CSS selectors is worth the performance cost.

Not sure when we'd have cycles to do this, but added to our backlog.

This behaviour should be safe (excl the usual c++ caveats about UB), so I don't think it's worth fixing. I wouldn't be surprised if there were plenty of other places where negate ints from user input. inferno@, is there any good reason to fix this?

 Issue 629944  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 675065  has been merged into this issue.

ClusterFuzz testcase 4513614192181248 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 470772:470990.

Detailed report: https://clusterfuzz.com/testcase?key=5687064784011264

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::CSSSelectorParser::consumeANPlusB
  blink::CSSSelectorParser::consumePseudo
  blink::CSSSelectorParser::consumeSimpleSelector
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=470772:470990

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5687064784011264


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.