New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630513 link

Starred by 1 user
Status: WontFix
Owner:
ekaramad@chromium.org
Closed: Dec 2016
Cc:
kenrb@chromium.org
brajkumar@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in gfx::Point::Offset (via RenderViewHostImpl::OnFocusedNodeChanged)

Project Member Reported by ClusterFuzz, Jul 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5058662892830720

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::Point::Offset
  content::RenderViewHostImpl::OnFocusedNodeChanged
  bool IPC::MessageT<ViewHostMsg_FocusedNodeChanged_Meta, std::tuple<bool, gfx::Re
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=402485:402737

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96z5JeO3jabuHDCQSXQWW4XGy10DLRhpreJU8DyBB6B0e-b9sR1S9nh07tdDZTpf4emPaZoA81D1HBnwAQ8rw7lEHo2tJ9-j2dO-eYFToFq9Hecg2kW9OxiQi082rtNS90K2qcUtEhAQELK-w0iM_eL37ZNY_1V7kA9AmzKz0hL1pUb7tw?testcase_id=5058662892830720


Additional requirements: Requires HTTP

Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by brajkumar@chromium.org, Jul 22 2016

Labels: -Pri-1 Findit-for-crash Te-Logged Pri-2
Owner: mdempsky@chromium.org
Status: Assigned (was: Untriaged)
No CL in the regression range changes the crashed files. The result is the blame information.

Author: mdempsky
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8a5190449d48e06efa581390426dfa3bb6750f4c
Time: Tue Feb 09 05:41:47 2016
The CL last changed line 26 of file ipc_message_templates.h, which is stack frame 3.

Suspected Project: chromium
Suspected Component: Internals>Core
====================================
mdempsky@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

Comment 2 by mdempsky@chromium.org, Jul 22 2016

Owner: brajkumar@chromium.org
This is almost certainly not an issue with IPC.  Please find someone else for triage.

Comment 3 by brajkumar@chromium.org, Jul 26 2016

Labels: Needs-triage
Owner: ----
Status: Available (was: Assigned)
Unable to find actual suspect for this issue, So adding Needs-Triage label.

Comment 4 by ssamanoori@chromium.org, Aug 5 2016

Components: Blink

Comment 5 by cbiesin...@chromium.org, Aug 12 2016

Components: -Blink Blink>Focus
Status: Untriaged (was: Available)
Summary: Integer-overflow in gfx::Point::Offset (via RenderViewHostImpl::OnFocusedNodeChanged) (was: Integer-overflow in gfx::Point::Offset)

Comment 6 by mmohammad@chromium.org, Aug 19 2016

Cc: brajkumar@chromium.org
Owner: ekaramad@chromium.org
Status: Assigned (was: Untriaged)
Suspected might be :


Changelist: https://chromium.googlesource.com/chromium/src//+/fcce0888975a8ad65fbeeeec78e52f2246b86020

ekaramad@ could you please look into this. Thanks in advance

Comment 7 by ekaramad@chromium.org, Aug 19 2016

Cc: kenrb@chromium.org
I don't think it can be related to my change above. The thing in common between this bug and  issue 634801  is the view bounds and coordinate conversions. I will take a look at this later.

Also cc-ing kenrb@ for some input on potential issues.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5058662892830720 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 10 by benhenry@chromium.org, Sep 29 2017

Components: Blink>HTML>Focus

Comment 11 by benhenry@chromium.org, Sep 29 2017

Components: -Blink>Focus

Sign in to add a comment