Issue metadata
Sign in to add a comment
|
Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5164804327342080 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::HTMLOListElement::parseAttribute blink::Element::attributeChanged Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Q3OB_qAs1J-S9YPVImmTHTQECJUqX6KSQtWlQNWwZ-kHT7hAE_8MUaXsaTkwXMrm_9bjQc28Up07K_N-Wz5bidVALqiBok8ZC3_bH-VIDp0_GklJpeAmn6f4HQpHdHNVO7_EeJHPUpoRhSV4Hf3MoHQwd3w?testcase_id=5164804327342080 <ol start=-2147483648> Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 20 2016
,
Jul 20 2016
,
Jul 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5617733819695104 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::HTMLLIElement::parseValue blink::HTMLLIElement::attachLayoutTree Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96v-UDOATN3YQ8N4sa3LMcGYJJk47ACwo1eDDlCIquVO_vTouv9ZecAjrFTunF2nDKxFZN8qwtXhMTbdKzr3PEWTRMws7fEebTEa_WsfbFO-Rom4sCBR_b8gU8xvhTMuj-q01U7nKEpfybck0f45iExRsBC8Q?testcase_id=5617733819695104 <li value=-2147483648> Additional requirements: Requires HTTP Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 21 2016
From findit tool: No CL in the regression range changes the crashed files. The result is the blame information. Author: esprehn Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/7dc7c0fc073b84f3050726b52ceec1bbcb304ba3 Time: Fri Jun 10 04:35:59 2016 The CL last changed line 74 of file StringToNumber.cpp, which is stack frame 0. Author: barraclough@apple.com Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/defe34952ab681361c5f16237dc1bcbcd62be4ad Time: Tue Apr 20 19:28:41 2010 The CL last changed line 104 of file AtomicString.h, which is stack frame 1. Author: commit-queue@webkit.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/24a9f457ec23fb7ebc4d71bfa52dd874a3bd5221 Time: Thu Dec 08 01:44:52 2011 The CL last changed line 128 of file HTMLLIElement.cpp, which is stack frame 2. Author: commit-queue@webkit.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/24a9f457ec23fb7ebc4d71bfa52dd874a3bd5221 Time: Thu Dec 08 01:44:52 2011 The CL last changed line 119 of file HTMLLIElement.cpp, which is stack frame 3. Author: bugsnash Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/f6983c1d159b61c65deeb6b88e8e12647bea22a9 Time: Tue Jul 19 05:48:03 2016 The CL last changed line 755 of file ContainerNode.cpp, which is stack frame 4. Author: bugsnash Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/f6983c1d159b61c65deeb6b88e8e12647bea22a9 Time: Tue Jul 19 05:48:03 2016 The CL last changed line 1567 of file Element.cpp, which is stack frame 5. Author: bugsnash Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/f6983c1d159b61c65deeb6b88e8e12647bea22a9 Time: Tue Jul 19 05:48:03 2016 The CL last changed line 755 of file ContainerNode.cpp, which is stack frame 6. Suspected Project: chromium
,
Jul 27 2016
ClusterFuzz has detected this issue as fixed in range 407167:408039. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5617733819695104 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::HTMLLIElement::parseValue blink::HTMLLIElement::attachLayoutTree Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:408039 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96v-UDOATN3YQ8N4sa3LMcGYJJk47ACwo1eDDlCIquVO_vTouv9ZecAjrFTunF2nDKxFZN8qwtXhMTbdKzr3PEWTRMws7fEebTEa_WsfbFO-Rom4sCBR_b8gU8xvhTMuj-q01U7nKEpfybck0f45iExRsBC8Q?testcase_id=5617733819695104 <li value=-2147483648> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Jul 19 2016Owner: esprehn@chromium.org
Status: Assigned (was: Available)