Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: fs@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/783b3b1811de3a0b96fe12147d3e80ea8bede329
Time: Fri Aug 01 06:46:44 2014
The CL last changed line 940 of file CSSSelector.cpp, which is stack frame 0.

Author: rune
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4b3bb3fcc9a3e6a9248cd4592e4f1f61a6462cf8
Time: Tue Feb 09 12:06:28 2016
The CL last changed line 718 of file SelectorChecker.cpp, which is stack frame 1.

Author: esprehn@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d9aff8d5b6ed0018a6d4e93f8ee711fe51ca0c2f
Time: Wed May 27 16:29:31 2015
The CL last changed line 575 of file SelectorChecker.cpp, which is stack frame 2.

Author: esprehn@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d9aff8d5b6ed0018a6d4e93f8ee711fe51ca0c2f
Time: Wed May 27 16:29:31 2015
The CL last changed line 200 of file SelectorChecker.cpp, which is stack frame 3.

Author: esprehn@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d72bfc56ef81de8c54278a2367cd0c3144c5d4e2
Time: Thu May 07 20:59:17 2015
The CL last changed line 248 of file SelectorChecker.cpp, which is stack frame 4.

Author: esprehn@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/78107cdd6a19d75e3a27c499dc7abad3c9aa8f5c
Time: Thu May 07 06:17:42 2015
The CL last changed line 225 of file SelectorChecker.cpp, which is stack frame 5.

Author: esprehn
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/5fd34623831645fa2236fe976caad13d12fcc473
Time: Mon Feb 01 15:41:09 2016
The CL last changed line 116 of file SelectorChecker.h, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>CSS

Possible suspect : https://chromium.googlesource.com/chromium/src//+/d9aff8d5b6ed0018a6d4e93f8ee711fe51ca0c2f

Please reassign if this is not related to your change.

That function is:

    if (!nthAValue())
        return count == nthBValue();
    if (nthAValue() > 0) {
        if (count < nthBValue())
            return false;
        return (count - nthBValue()) % nthAValue() == 0;
    }
    if (count > nthBValue())
        return false;
    return (nthBValue() - count) % (-nthAValue()) == 0;

the test case does:

-4294967077n+78
A=-4294967077
B=78

so we do

    if (count > -4294967077)
        return false;
    return (78 - count) % (-4294967077) == 0;

I think?

Anyway someone from the style team should fix this if we want to fix it. It's not clear to me that overflow when you do crazy things in your CSS is worth adding a bunch of saturated math or checked math.

I'm not sure either. I suspect it's not so long as it's not a security risk (which it doesn't look to me like it is)?

Sounds like wontfix then?

Actually looking at this now the bug is almost certainly has the same cause as  http://crbug.com/628865 

It looks like nthAValue() becomes the minimum integer value (a negative number), because we cast the (big!) parsed double value to an int in CSSSelectorParser::consumeANPlusB:

static_cast<int>(token.numericValue())

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/parser/CSSSelectorParser.cpp?l=645

Then, the value can't be negated because it becomes itself (which is what the fuzzer is complaining about).

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5262783587549184

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::CSSSelector::RareData::matchNth
  blink::SelectorChecker::checkPseudoClass
  blink::SelectorChecker::checkOne
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97imZBNqNL7WtryLoaM9Jm2Ej4mcwGyVeGZ93MMujI-Ea54mtsK8e0wAnzs1muDFxpMItPs9UZnTzAEskvL7McvzcDnGlPdI4LeupkV-QhvXS5y0y6PfUdlpg93-ALGwdA-fRN9_q55Y_izT-9OHEXFx42ToA?testcase_id=5262783587549184
<style>td {
    }
td:nth-last-child(-4294967077n+78) {
    height: 3em
</style>
  <table>
    <td>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5262783587549184 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.