No CL in the regression range changes the crashed files. The result is the blame information.

Author: darin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ba351587780ae54f82ce5af943c203b0bc10c8c4
Time: Mon Jan 30 09:03:14 2006
The CL last changed line 155 of file IntRect.h, which is stack frame 0.

Author: darin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ba351587780ae54f82ce5af943c203b0bc10c8c4
Time: Mon Jan 30 09:03:14 2006
The CL last changed line 162 of file IntRect.h, which is stack frame 1.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d73c319b1be14ce900c8ecc6d61b75be68f5f02c
Time: Mon Aug 31 19:11:38 2015
The CL last changed line 241 of file ObjectPainter.cpp, which is stack frame 2.

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7cbfbcef3ed11feafc3f77c0225b73008abb6d85
Time: Fri Jan 15 02:14:03 2016
The CL last changed line 45 of file ReplacedPainter.cpp, which is stack frame 3.

Author: chrishtr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/93a153d73215f3cabae01da0a1ebd48f7913e408
Time: Sat Sep 27 01:12:07 2014
The CL last changed line 115 of file LayoutReplaced.cpp, which is stack frame 4.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8dc679ff9c024183bc1f651d9660b73de5160859
Time: Wed May 20 18:11:20 2015
The CL last changed line 715 of file PaintLayerPainter.cpp, which is stack frame 5.

Author: pdr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8b1bccd2aa7837bcd52b217c6b32f2a507240374
Time: Wed Jan 20 20:24:00 2016
The CL last changed line 781 of file PaintLayerPainter.cpp, which is stack frame 6.

Suspected Project: chromium

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We can fix these one-by-one but I think it'll be best to fix the core problem by using saturated arithmetic in IntRect.

ClusterFuzz has detected this issue as fixed in range 419387:419391.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6190332540878848

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::inflateX
  blink::ObjectPainter::paintOutline
  blink::ReplacedPainter::paint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=419387:419391

Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjUu4mciCCnVm_-MfHdci_nhqPaFWh0p-WhbkSu20dCGseWccrRof_WE987oyD43y9GcQPoCUNiUuLt5_BlVzxnN50D3O0vcPKKcPo0lzQq_GdJ6GZ_wzeGDcIrjHbYKiG6A2pdSUgS4o2yUqu81E3U0FQA?testcase_id=6190332540878848

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot