No CL in the regression range changes the crashed files. The result is the blame information.

Author: vmpstr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b22628fb3d8c6fb32e4a50a6770519153829ce3c
Time: Tue Mar 15 18:51:34 2016
The CL last changed line 961 of file tile_manager.cc, which is stack frame 4.

Suspected Project: chromium
======================
vmpstr@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

It's unlikely that the patch in question is directly responsible for the regression, but this nonetheless needs to be fixed. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3127243212fe6c1e075b7d1888d900ba7860e7ce

commit 3127243212fe6c1e075b7d1888d900ba7860e7ce
Author: vmpstr <vmpstr@chromium.org>
Date: Wed Aug 10 20:31:12 2016

cc: Do a safe intersect when gathering images.

This patch ensures that we don't overflow int bounds when adding a
discardable image into the rtree. We know that all of it is bound by
the canvas size (ie, max layer size). So, we can do an intersect to
restrict the bounds. Furthermore, use custom intersect code because
gfx::Rect::Intersect uses right() and bottom() which will also trigger
an overflow.

R=enne
BUG= 630572 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review-Url: https://codereview.chromium.org/2229603002
Cr-Commit-Position: refs/heads/master@{#411136}

[modify] https://crrev.com/3127243212fe6c1e075b7d1888d900ba7860e7ce/cc/playback/discardable_image_map.cc
[modify] https://crrev.com/3127243212fe6c1e075b7d1888d900ba7860e7ce/cc/playback/discardable_image_map_unittest.cc

ClusterFuzz has detected this issue as fixed in range 411126:411158.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5570688291438592

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gfx::Rect::right
  gfx::Rect::Intersects
  cc::RTree::Search
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=395897:395914
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411126:411158

Minimized Testcase (1.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96rrseBRmbgbDT1IhTwJMJtcDtTADi-bHcCZ8WRiDj0MhZzrynn_aoRgt9WXprPm5UqikyEb7DsbBqRIrN-ps55iiudwlimU3jYyA2MqHnvQ3-lA4RnH0Ikh1y6o2TWmTxMmjtYcl92WVxGCIQs_3Xf0tUafA?testcase_id=5570688291438592

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot