From findit tool:

Author: aleksandar.stojiljkovic
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f32e119c6c7ec9e98298fcd43a285b735f021952
Time: Fri Jun 17 06:42:39 2016
The CL last changed line 269 of file DeferredImageDecoder.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Image 

This isn't a regression.  The problem is that BMPImageReader::readInfoHeader() flips the sign of negative heights, which doesn't work for INT_MIN.

We already reject images with widths/heights >= 1 << 16 in isInfoHeaderValid(), so we're going to want to reject this image anyway.  So we should just make the code there return m_parent->setFailed() for INT_MIN.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cbe3909f4f64e0f00e2eea6898395ece4672c913

commit cbe3909f4f64e0f00e2eea6898395ece4672c913
Author: aleksandar.stojiljkovic <aleksandar.stojiljkovic@intel.com>
Date: Fri Aug 19 13:29:26 2016

Fix integer overflow (-INT_MIN) in blink::BMPImageReader::readInfoHeader

BUG= 638445 

Review-Url: https://codereview.chromium.org/2248383002
Cr-Commit-Position: refs/heads/master@{#413124}

[add] https://crrev.com/cbe3909f4f64e0f00e2eea6898395ece4672c913/third_party/WebKit/LayoutTests/fast/images/resources/1xint32_min.bmp
[modify] https://crrev.com/cbe3909f4f64e0f00e2eea6898395ece4672c913/third_party/WebKit/Source/platform/image-decoders/bmp/BMPImageDecoderTest.cpp
[modify] https://crrev.com/cbe3909f4f64e0f00e2eea6898395ece4672c913/third_party/WebKit/Source/platform/image-decoders/bmp/BMPImageReader.cpp

ClusterFuzz has detected this issue as fixed in range 413122:413173.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6374870986522624

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::BMPImageReader::readInfoHeader
  blink::BMPImageReader::processInfoHeader
  blink::BMPImageReader::decodeBMP
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=413122:413173

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96SmV10sfc12JSa8VIwWmK-oJDtYx30eGuvv_dqk4YALyN-luAQ5p6v3ZsZ9IPkz-YZwk15A7LNDhdrB7RgfCUKxL1CdIswTDfLKsxVPhaVUO2XhIGf6HSzCr47NMXW-4YTO0CBWnR8d4_78l2LA1OQtxTtsA?testcase_id=6374870986522624

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot