Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0e20bd123062a6bc463391c8970b24936983c466
Time: Mon Jun 27 21:36:08 2016
The CL last changed line 469 of file LayoutBlockFlow.cpp, which is stack frame 6.

ClusterFuzz has detected this issue as fixed in range 406657:406809.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5482032784474112

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutListMarker::updateMargins
  blink::LayoutBox::minPreferredLogicalWidth
  blink::LayoutListMarker::layout
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=381067:381276
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=406657:406809

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96j7x7Cb_-ZgfJ4zWeclyQuMPs0beFvOM3LoeYbpcN4WLHFZeJiSVDMYwI1DOgz1WB-hvqPkTP49OdIHHcxVatGZW9YU01imRxp8w-TuK_7kZx4INyFvK26WX_M4uMEVYu0unneBL8Fl049Qk-Q4HDZikekZQ?testcase_id=5482032784474112
<div id=result><div id=iframe>
<style>
.c12 { richness: 12%; list-style-type: persian; letter-spacing: -49108.3945314em;</style><script>
setTimeout("tCFcrash()");
iframe; delete iframe; if (typeof result != "undefined") iframe = result; forceGC(); 
function tCFcrash() {
iframe.setAttribute("class", "c12");
result.style.display = "list-item"
window.scrollTo(-7, 19);
iframe.style.zoom = 22;
}</script>


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot