Issue 639804 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 634803
Owner:	bokan@chromium.org
Closed:	Aug 2016
Components:	Blink>Layout>Scrollbars
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Te-Logged Stability-Crash Reproducible M-53 Clusterfuzz Stability-UndefinedBehaviorSanitizer Test-Predator-Wrong

Integer-overflow in blink::Region::Shape blink::Region::Shape::shapeOperation<blink::Region::Shape::

Project Member Reported by ClusterFuzz, Aug 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5155877026004992

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::Region::Shape blink::Region::Shape::shapeOperation<blink::Region::Shape::
  blink::Region::unite
  blink::ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=379046:379163

Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv959sGJR1R0cbzwjTJ8tGpFcFdVTC2WFHS4l2AOgFzMhElUUHZ0StnA3O9eBZCzCuw2ZEvQhLLf30jBV-6Ovz5qNrPjPgCtgtoriZjiOYTlME9RfTh6dYENlnWuqiLWhOT8OXQoZwyhZzq1nIoxooJ2uQTycdA?testcase_id=5155877026004992

Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Aug 22 2016

Components: Tools>Test>FindIt>WrongResult Blink>Layout>Scrollbars
Labels: Te-Logged M-53
Owner: eseckler@chromium.org
Status: Assigned (was: Untriaged)

Suspected CLs:
===============
No CL in the regression range changes the crashed files. The result is the blame information.

Author: andersca@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4094d08cb24f87689fd2524bc1f62e052b61edae
Time: Tue Jan 11 23:40:26 2011
The CL last changed line 419 of file Region.cpp, which is stack frame 0.

Author: andersca@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4094d08cb24f87689fd2524bc1f62e052b61edae
Time: Tue Jan 11 23:40:26 2011
The CL last changed line 512 of file Region.cpp, which is stack frame 1.

Author: andersca@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4094d08cb24f87689fd2524bc1f62e052b61edae
Time: Tue Jan 11 23:40:26 2011
The CL last changed line 594 of file Region.cpp, which is stack frame 2.

Author: miletus@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/c0cbafaf65dc4fc0ee22df128e71d9b97125123f
Time: Tue May 07 01:11:51 2013
The CL last changed line 780 of file ScrollingCoordinator.cpp, which is stack frame 3.

Author: dcheng@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b5f0d23cf0c138135599a28daf9b9ed78f511976
Time: Sun Jun 15 06:26:37 2014
The CL last changed line 174 of file ScrollingCoordinator.cpp, which is stack frame 4.

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/becaeea6b0a554003b1b748e7c88e65546161768
Time: Fri Nov 20 04:28:11 2015
The CL last changed line 2611 of file FrameView.cpp, which is stack frame 5.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1b611663b6d6b3ffc7122d390254093f24dc8d73
Time: Tue Jul 07 06:18:14 2015
The CL last changed line 85 of file PageAnimator.cpp, which is stack frame 6.

============================

Suspected Project: chromium

This is impacting the latest Stable (52.0.2743.116) & Beta (53.0.2785.70).

From code search on the file "crollingCoordinator.cpp" suspecting the below.
Suspect : https://codereview.chromium.org/2118773002
eseckler@ : Could you please take a look into this issue if its related to your change, else suggest an owner who can work on this.

Comment 2 by eseckler@chromium.org, Aug 22 2016

Owner: bokan@chromium.org

Don't think it's related to this change of mine. Re-assigning to bokan@, he might have more insight into potential causes.

Comment 3 by bokan@chromium.org, Aug 22 2016

Mergedinto: 634803
Status: Duplicate (was: Assigned)

This is a non-regression and is happening because of out of bounds (for int) values in CSS. See dup'd issues for details.

Comment 4 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong

Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 639804 link

Issue metadata

Integer-overflow in blink::Region::Shape blink::Region::Shape::shapeOperation<blink::Region::Shape::

Issue description

Comment 1 by durga.behera@chromium.org, Aug 22 2016

Comment 1 Deleted

Comment 2 by eseckler@chromium.org, Aug 22 2016

Comment 2 Deleted

Comment 3 by bokan@chromium.org, Aug 22 2016

Comment 3 Deleted

Comment 4 by kateso...@chromium.org, Oct 18 2016

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Comment 5 Deleted

Sign in to add a comment