Issue metadata
Sign in to add a comment
|
Integer-overflow in blink::WheelEvent::WheelEvent |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4892112573431808 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::WheelEvent::WheelEvent blink::WheelEvent::create blink::V8WheelEvent::constructorCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (5.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ue49pfsVmu4-n-lNXq6Sxqtxc_jxv_d-jAQ3KvNEAT-16GjZkjlPicsbF3umPYWSjJf7vC1HGE9hUTAABgRnHfS45P-a1d-Zlk2XfxsiDulEyRzUmCNCVvVK7HTLcOcVXQ6WNXhgrx_-5r2uQKEW-_NSZUA?testcase_id=4892112573431808 Issue manually filed by: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f352827c452f7d6b493cd03cc367221368912879 commit f352827c452f7d6b493cd03cc367221368912879 Author: bashi <bashi@chromium.org> Date: Tue Aug 16 08:43:15 2016 Avoid integer overflow in WheelEvent constructor Don't negate when long values are LONG_MIN BUG= 634794 Review-Url: https://codereview.chromium.org/2246923003 Cr-Commit-Position: refs/heads/master@{#412194} [modify] https://crrev.com/f352827c452f7d6b493cd03cc367221368912879/third_party/WebKit/Source/core/events/WheelEvent.cpp
,
Aug 17 2016
ClusterFuzz has detected this issue as fixed in range 412185:412197. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4892112573431808 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::WheelEvent::WheelEvent blink::WheelEvent::create blink::V8WheelEvent::constructorCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=412185:412197 Minimized Testcase (5.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ue49pfsVmu4-n-lNXq6Sxqtxc_jxv_d-jAQ3KvNEAT-16GjZkjlPicsbF3umPYWSjJf7vC1HGE9hUTAABgRnHfS45P-a1d-Zlk2XfxsiDulEyRzUmCNCVvVK7HTLcOcVXQ6WNXhgrx_-5r2uQKEW-_NSZUA?testcase_id=4892112573431808 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 17 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Aug 5 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: bashi@chromium.org
Status: Assigned (was: Untriaged)