Issue 629944 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 628865
Owner:	----
Closed:	Jul 2016
Cc:	█ mummare...@chromium.org style-bugs@google.com
Components:	Blink>CSS
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Te-Logged Stability-Crash Reproducible M-52 Clusterfuzz Stability-UndefinedBehaviorSanitizer wrong-triage Test-Predator-Wrong

Integer-overflow in int WTF::toIntegralType<int, unsigned char>

Project Member Reported by ClusterFuzz, Jul 20 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6441203403063296

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  int WTF::toIntegralType<int, unsigned char>
  blink::CSSSelectorParser::consumeANPlusB
  blink::CSSSelectorParser::consumePseudo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9776UMEPX7USTJhwXjly56i5zxkCAuFLmBoGl5zx2GQK_1YXJmz5GsPsyxC74XfUgSFlyTmjrqT_7jTi4Yxfqq_69LleKnjG0O0dA5Q62cCdDLVjqfpJJWXVagIrP1JmeTedPTYZ9IWYXiB4Dx-a6ZiUUFAQw?testcase_id=6441203403063296
<style>no count <= 1 can match anything */
li:nth-last-child(2147483647) {
    }
li:nth-last-child(-2147483648n-2147483648) {


Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jul 20 2016

Components: Tools>Test>FindIt>WrongResult
Labels: Te-Logged M-52
Owner: yutak@chromium.org

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 308 of file CSSSelectorParser.cpp, which is stack frame 4.

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 178 of file CSSSelectorParser.cpp, which is stack frame 5.

Author: Yuta Kitamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/540e575dc43e718821bc4ac682735a9631e33c1f
Time: Mon Jun 20 11:01:49 2016
The CL last changed line 110 of file CSSSelectorParser.cpp, which is stack frame 6.

Comment 2 by mummare...@chromium.org, Jul 20 2016

Mergedinto: 629932
Status: Duplicate (was: Available)

Comment 3 by wangxianzhu@chromium.org, Jul 20 2016

Status: Assigned (was: Duplicate)

This one is different from  bug 629932 .

Comment 4 by yutak@chromium.org, Jul 21 2016

Components: Blink>CSS
Labels: wrong-triage
Owner: ----
Status: Untriaged (was: Assigned)

Comment 5 by timloh@chromium.org, Jul 21 2016

Mergedinto: -629932 628865
Status: Duplicate (was: Untriaged)

Comment 6 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong

Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 629944 link

Issue metadata

Integer-overflow in int WTF::toIntegralType<int, unsigned char>

Issue description

Comment 1 by mummare...@chromium.org, Jul 20 2016

Comment 1 Deleted

Comment 2 by mummare...@chromium.org, Jul 20 2016

Comment 2 Deleted

Comment 3 by wangxianzhu@chromium.org, Jul 20 2016

Comment 3 Deleted

Comment 4 by yutak@chromium.org, Jul 21 2016

Comment 4 Deleted

Comment 5 by timloh@chromium.org, Jul 21 2016

Comment 5 Deleted

Comment 6 by kateso...@chromium.org, Oct 18 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Comment 7 Deleted

Sign in to add a comment