New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634486 link

Starred by 1 user
Status: WontFix
Owner:
wangxianzhu@chromium.org
Closed: Aug 2016
Cc:
mummare...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntPoint::move

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263336596045824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntPoint::move
  blink::FrameView::convertFromContainingWidget
  blink::Widget::convertFromRootFrame
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Ur19ZRsZdF1aUa8YtjkIeN76zHimBd1aejDZ0nv5RzWMtKc_JyIBg9EeTDKwCmmGkUL5p9PTcwNAm-kAYLcznV-d2kT-Nu1pwlzRUE2VDIOLz5R8lWb1yG9FTqdcOap4qIpMoaei_2g50PNSP3IJUIcwS3g?testcase_id=5263336596045824
LhNhd C
<script>
  document.body.appendChild(document.createElement('iframe'));
</script>
<style>
@keyframes cfpulse1 { 0% { opacity: 0.0003;goldenrod);  } 
 100% { opacity: 0.8975;  } }
* { animation-name: cfpulse72; motion: path("M 6 -2299370210 h 84 v 41") 55807rad 24px;


Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 4 2016

Labels: findit-wrong Te-Logged M-53
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2e9667d6597f5c1cbf25b0cc7f89a687502927b5
Time: Mon Jun 06 19:39:11 2016
The CL last changed line 1119 of file FrameView.cpp, which is stack frame 6.

Comment 2 by wangxianzhu@chromium.org, Aug 4 2016

Status: WontFix (was: Assigned)
This integer overflow is not harmful.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by ClusterFuzz, Dec 14 2016 

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263336596045824

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntPoint::move
  blink::FrameView::convertFromContainingWidget
  blink::Widget::convertFromRootFrame
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Ur19ZRsZdF1aUa8YtjkIeN76zHimBd1aejDZ0nv5RzWMtKc_JyIBg9EeTDKwCmmGkUL5p9PTcwNAm-kAYLcznV-d2kT-Nu1pwlzRUE2VDIOLz5R8lWb1yG9FTqdcOap4qIpMoaei_2g50PNSP3IJUIcwS3g?testcase_id=5263336596045824
LhNhd C
<script>
  document.body.appendChild(document.createElement('iframe'));
</script>
<style>
@keyframes cfpulse1 { 0% { opacity: 0.0003;goldenrod);  } 
 100% { opacity: 0.8975;  } }
* { animation-name: cfpulse72; motion: path("M 6 -2299370210 h 84 v 41") 55807rad 24px;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment