New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630392 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
le...@chromium.org
mummare...@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::CounterDirectives::combinedValue

Project Member Reported by ClusterFuzz, Jul 21 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6535162993311744

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::CounterDirectives::combinedValue
  blink::makeCounterNodeIfNeeded
  blink::findPlaceForCounter
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (2.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv943zjc6mnItIh--pJr-xUE7vP7-VA0Cg4GSjdjt3Pi24LmUtcwV1RGhbWVNIP2ITaKeLzmAtFN-J3j00j4IRz7D5CEv1ijJHTUp8GBg1t3zmVzpJU8IuH4mherAg9yW1wxYrswNwYSrADVCk3rO7Xq6uvYSIA?testcase_id=6535162993311744

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jul 21 2016

Components: Tools>Test>FindIt>WrongResult
Labels: Te-Logged M-52
Owner: le...@chromium.org
Status: Assigned (was: Untriaged)

Author: leviw
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f1ded8f72e6c34c6561ba5d95ec7cff42dd82fd1
Time: Tue Feb 16 22:31:37 2016
The CL last changed line 410 of file LayoutCounter.cpp, which is stack frame 5.

Author: leviw
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f1ded8f72e6c34c6561ba5d95ec7cff42dd82fd1
Time: Tue Feb 16 22:31:37 2016
The CL last changed line 218 of file LayoutCounter.cpp, which is stack frame 3.

Comment 2 by wkorman@chromium.org, Aug 2 2016

Cc: le...@chromium.org e...@chromium.org
Components: -Tools>Test>FindIt>WrongResult Blink>Layout
Owner: ----
Status: Available (was: Assigned)
Unassigning Levi, moving to Layout for consideration.

Comment 3 by e...@chromium.org, Aug 2 2016

Labels: -Pri-1 Pri-2
No blink changes (other than an unrelated NotificationEvent change) in the regression range. Requesting new bisect run.

Not a security issue and not affecting real world websites; lowering priority.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Available)
ClusterFuzz testcase 6535162993311744 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment