Integer-overflow in blink::IntRect::maxY |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6285406146658304 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::maxY blink::parseOptions blink::ImageBitmap::ImageBitmap Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=371316:371341 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96c3gjrSxHh0Dh1qQb3fXZq6cEDplw5eIJvsw4_qwetQypCA1PrgH5hNxgYlrWMN89iQ8zFLEzO_1-M9a8Ooi3ONa47-3zP5cA4OnufTTooexFTlUT7_IRLMnJwVSUypAjzPF62BeY6S7Wu8A_fxhA3ouq6sg?testcase_id=6285406146658304 <script> var bgcanvas = document.createElement('canvas'); var greenSquareURL = bgcanvas.toDataURL(); var img = new Image(); img.onload = imageLoaded; img.src = greenSquareURL; function imageLoaded() { createImageBitmap(img, -50, 2147483632, 4065084245, 100); } </script> Issue manually filed by: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2016
This is not a dangerous problem. |
||||
►
Sign in to add a comment |
||||
Comment 1 by durga.behera@chromium.org
, Aug 22 2016Labels: Te-Logged M-53
Owner: sunil.ra...@samsung.com
Status: Assigned (was: Untriaged)