Author: hiroshige
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a4581858f57e20724f9b8a3166ef9c864f79a758
Time: Sat Mar 26 00:50:09 2016
The CL last changed line 74 of file LayoutImageResource.cpp, which is stack frame 3.

@hiroshige: Assigning to you, request you to please take a look into it. Please help us to reassign if not with respect to your change.

Thanks.!

This looks like when opening an SVG of size 59432 * 66035, the area overflows.

This seems to exist since very long ago.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/18614431f3b09bf247aaaece45839a1739affc01

commit 18614431f3b09bf247aaaece45839a1739affc01
Author: hiroshige <hiroshige@chromium.org>
Date: Mon Aug 08 16:36:48 2016

Fix integer overflow in FrameView::m_visuallyNonEmptyPixelCount

BUG= 634819 

Review-Url: https://codereview.chromium.org/2218003003
Cr-Commit-Position: refs/heads/master@{#410380}

[modify] https://crrev.com/18614431f3b09bf247aaaece45839a1739affc01/third_party/WebKit/Source/core/frame/FrameView.h

ClusterFuzz has detected this issue as fixed in range 410349:410400.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6751769759842304

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::FrameView::incrementVisuallyNonEmptyPixelCount
  blink::LayoutImage::imageChanged
  blink::ImageResource::addObserver
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410349:410400

Minimized Testcase (0.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940VpYiSB60jxIGKfzRQwJWOnG-Z4tBP5W9q1EeIVSs_BKMPQmsNToBIwHyOSJmLgapUSWLQ1D2mLcxqOgrXmBC6SaACZPbambllOjFYpIrOyeF4UmBBSW32IGOqKFQzzPYHIs5hPyHYvDfe4bTRIjrVpGSIg?testcase_id=6751769759842304

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/924bbbbfed37fa4c08187bdc137aeed76e8b96ec

commit 924bbbbfed37fa4c08187bdc137aeed76e8b96ec
Author: hiroshige <hiroshige@chromium.org>
Date: Fri Sep 30 06:10:07 2016

Test that FrameView::incrementVisuallyNonEmptyPixelCount() doesn't overflow

This CL adds an unit test for https://codereview.chromium.org/2218003003/ that
would have failed before that CL.

BUG= 634819 

Review-Url: https://codereview.chromium.org/2229753002
Cr-Commit-Position: refs/heads/master@{#422040}

[modify] https://crrev.com/924bbbbfed37fa4c08187bdc137aeed76e8b96ec/third_party/WebKit/Source/core/frame/FrameViewTest.cpp
[modify] https://crrev.com/924bbbbfed37fa4c08187bdc137aeed76e8b96ec/third_party/WebKit/Source/web/tests/WebMeaningfulLayoutsTest.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot