Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5648362934370304

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::maxY
  blink::IntRect::intersect
  blink::CompositingInputsUpdater::updateRecursive
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97mPfESSEN2kjQlv0Rj5Gv4x3n5Q9P0Tj3xhPmLz0irwmuWLyYVJrdiqGQq9RcGQBRsf_CM9_7vsGXSRWhluRcrCpS1BYdOXn_mp93zWkl983fDiLGFwnEalTfq9VoB-kssmsQyFrgHeLeq-MqQJvp54Hz96g?testcase_id=5648362934370304
<dl style='motion-path: path("M -57 18446744073709551513 V 114"); '>


Additional requirements: Requires HTTP

Filer: thestig

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

eae@, Any update on this please.

Not eae@'s problem. I'll look into it.

This is indeed likely to be integer overflow, but it's not dangerous in any sense in that we correctly handle negative widths/heights in rects and negative positions. Odd things might happen, but it's not dangerous.

It can probably be fixed, but only at significant performance cost. I want to suppress this. How do I do that?

ClusterFuzz has detected this issue as fixed in range 414800:414808.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5916848453582848

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::maxX
  blink::IntRect::intersect
  blink::CompositingInputsUpdater::updateRecursive
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=414800:414808

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94VWcKXqER5fRKbXIFvGNFn_S27U5cTxTB6xoM7TYCbdW6CR0VnDZOG1RmbU1ihjGhcg1mwDFAm7hBWyt0cOv8v6IqOJDbd7I7GBokqV1LaXtKzcuAhzuitcOsBtD-O8fjCmOFiXaSEKU5KNTv-OxRo1YPMfg?testcase_id=5916848453582848
<style>
@keyframes cfpulse1 { 0% { opacity: 0.4751;  } 
 100% { opacity: 0.619;  } }
* { animation-name: cfpulse95; motion-path: path("M 18446744073709551482 -45 V 1");


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Hi, I also got a integer overflow on blink::IntRect bug, what should be the strategy? Should I just suppress it? How do I do that? Thanks.

@Xidachen, I would recommend manually looking into it and determining if it is a security issue or not. If it is not, you can close the bug as wontfix. If it is, consider using saturated arithmetic.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 5648362934370304 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.