New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634177 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::NinePieceImageGrid::NinePieceImageGrid

Project Member Reported by ClusterFuzz, Aug 3 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5112375340695552

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::NinePieceImageGrid::NinePieceImageGrid
  blink::NinePieceImagePainter::paint
  blink::BoxPainter::paintNinePieceImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=372506:372545

Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94AA3pmsAyMiMQSUI6awBcki3PQN7G98k3VtkXLiwYqnNwW-H0xyTkBxu2WdlPPr25P3mJJkBlphLYO9JXLJ9YAnHDsEhBR0rNj2oxWgC3-cMgCQyAQrlbvFjQRFH_TBPhhQg1bevhvSH9bPXkXvQEShUI9ZA?testcase_id=5112375340695552

Additional requirements: Requires HTTP

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>Paint
Labels: Te-Logged M-53
Owner: le...@chromium.org
Status: Assigned (was: Untriaged)
The result is a list of CLs that change the crashed files.

Author: leviw
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9dbe383187aae9b2017bec82d9d5e715b157933a
Time: Sat Jan 30 06:15:00 2016
File NinePieceImageGrid.cpp is changed in this cl (and is part of stack frame #0, "blink::NinePieceImageGrid::NinePieceImageGrid")
Minimum distance from crash line to modified line: 37. (file: NinePieceImageGrid.cpp, crashed on: 52, modified: 15).

Suspected Project: chromium
Suspected Component: Blink>Paint

Comment 2 by pdr@chromium.org, Aug 4 2016

Owner: ----
Status: Available (was: Assigned)
Marking as available for the paint team. Leviw sadly no longer works on Chrome.
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Pri-2
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Available)
ClusterFuzz testcase 5112375340695552 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment