Author: sadrul
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/32d1097c5645c0e1b0f49f93502d4f4701b67cec
Time: Sat Jul 30 05:26:21 2016
Lines 917 of file layer_tree_host_impl.cc which potentially caused crash are changed in this cl (frame #1, "cc::LayerTreeHostImpl::CalculateRenderPasses").
Minimum distance from crash line to modified line: 0. (file: layer_tree_host_impl.cc, crashed on: 917, modified: 917).

@sadrul: Assigning to you, request you to please take a look into it. Please help us to reassign if not with respect to your change.

Thanks.!

--> danakj@

Maybe the code should use visible_geometry_rect.size.GetArea() (which I think in this case would CHECK instead)?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1127cbf181298f0eadfe8d7582a6b0a97c6922a8

commit 1127cbf181298f0eadfe8d7582a6b0a97c6922a8
Author: vmpstr <vmpstr@chromium.org>
Date: Thu Aug 11 23:58:49 2016

cc: Remove area calculation overflow in PictureLayerImpl::AppendQuads.

This patch ensures that we don't overflow integer bounds when
calculating area for various reporting. Note that the types in which
the value is stored is already int64_t; it's just a matter of ensuring
the temporary calculation on the rhs also uses 64 bit ints.

R=danakj, enne
BUG= 634824 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review-Url: https://codereview.chromium.org/2239883002
Cr-Commit-Position: refs/heads/master@{#411457}

[modify] https://crrev.com/1127cbf181298f0eadfe8d7582a6b0a97c6922a8/cc/layers/picture_layer_impl.cc

ClusterFuzz has detected this issue as fixed in range 411432:411522.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5840571006713856

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cc::PictureLayerImpl::AppendQuads
  cc::LayerTreeHostImpl::CalculateRenderPasses
  cc::LayerTreeHostImpl::PrepareToDraw
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=407167:409223
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411432:411522

Minimized Testcase (0.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96KhPBJzGktOjgVocp6oD7ODA0LcYtFXJ30SGp14HprIy9hBvCespiQ35okrKWIiY5rHH2GAdzz0zY2ynerYUnZbWsDRfHuDRsHaJbnH_GKG0TFDRfpsY7jKfgZCauuy1RIFFtLmZfSu3MoKMptb2BEkaIamQ?testcase_id=5840571006713856

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot