Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: gman@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/06b73aa26473f9ec6bec009d11329a10cad27350
Time: Fri Jan 27 23:06:19 2012
The CL last changed line 3069 of file gles2_implementation.cc, which is stack frame 0.

Author: gman@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/06b73aa26473f9ec6bec009d11329a10cad27350
Time: Fri Jan 27 23:06:19 2012
The CL last changed line 2878 of file gles2_implementation.cc, which is stack frame 1.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/11401539431e6ff15901f90f4d1e87033dc77ba5
Time: Tue Jun 07 13:17:10 2016
The CL last changed line 4052 of file WebGLRenderingContextBase.cpp, which is stack frame 2.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ac4e116972ed28118bf531c4e7c39a24d16b5df4
Time: Sat Jun 25 13:21:24 2016
The CL last changed line 4413 of file WebGLRenderingContextBase.cpp, which is stack frame 3.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/11401539431e6ff15901f90f4d1e87033dc77ba5
Time: Tue Jun 07 13:17:10 2016
The CL last changed line 4681 of file WebGLRenderingContextBase.cpp, which is stack frame 4.

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals
--------------------------------------------------------------
Plausible offending CL: https://chromium.googlesource.com/chromium/src/+/11401539431e6ff15901f90f4d1e87033dc77ba5 ?
@xidachen: Hey, would you mind check above issue and see if it's related to your change ?

However, if its not then do help us in assigning the bug to appropriate owner.

Appreciate your help.

Thank you!

kbr@, zmo@, bajones@: 

The real problem of this integer-overflow is that in this line:
https://cs.chromium.org/chromium/src/gpu/command_buffer/client/gles2_implementation.cc?sq=package:chromium&rcl=1473146262&l=3069

yoffset += num_rows

The yoffset could exceed the INT_MAX.

What do you think is the best solution here? Maybe introduce a temp CheckNumeric<int> var, and assigned it back to yoffset if it is safe?

Yes, we should use CheckedNumeric for the computation there.  Can you get a CL to fix this (and also TexSubImage3DImpl)?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e8c2ace2094db0c61c9a2deea1f51b5b1054a305

commit e8c2ace2094db0c61c9a2deea1f51b5b1054a305
Author: xidachen <xidachen@chromium.org>
Date: Thu Sep 08 01:07:46 2016

Supress integer-overflow in TexSubImage2D(3D)Impl

Currently in these two functions, we are not using CheckedNumeric. This
CL uses CheckedNumeric to ensure that integer-overflow will not happen

BUG= 644271 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2310243002
Cr-Commit-Position: refs/heads/master@{#417137}

[modify] https://crrev.com/e8c2ace2094db0c61c9a2deea1f51b5b1054a305/gpu/command_buffer/client/gles2_implementation.cc

ClusterFuzz has detected this issue as fixed in range 417100:417138.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6134693714198528

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  gpu::gles2::GLES2Implementation::TexSubImage2DImpl
  gpu::gles2::GLES2Implementation::TexSubImage2D
  blink::WebGLRenderingContextBase::texImageImpl
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=374754:374868
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=417100:417138

Minimized Testcase (13.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vWZ7wEs3410hYBrHTmDX6eiyJgZ8M3y0n0Xmve_SM8gsxnhPtsaFPOM6xab2BN2uD79VcgJhxqkWB6j7E3avmSFWwVIpEZcWZTSEOnLan4cE4P3tVv1X0CrefG9VROWILB6Bg1oWAl3aKXkzO9rGXxvj0UQ?testcase_id=6134693714198528

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot