New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 650602 link

Starred by 1 user
Status: WontFix
Owner:
wangxianzhu@chromium.org
Closed: Sep 2016
Cc:
blink-reformat@chromium.org
wangxianzhu@chromium.org
ifratric@google.com
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::inflateX

Project Member Reported by ClusterFuzz, Sep 27 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4747045435080704

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::inflateX
  blink::ObjectPainter::paintOutline
  blink::InlinePainter::paint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv954yHUbn7lHTBBmHpA_-Sgs3DAl4Sk5v8iar7A0m7H5IX8zdpQoAtAXqre9bQ1OCed6DDZyKbAcevlY-qzWV5VhDJB-hW-AWKt-I00ByEmwBO_P6EK05WO-sAAUo1GOd7Of6KmB54EGRyqE9Akc38IayLAZug?testcase_id=4747045435080704

Issue manually filed by: kavvaru

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by kavvaru@chromium.org, Sep 27 2016

Components: Blink
Labels: M-54 Findit-for-crash Te-Logged
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: darin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ba351587780ae54f82ce5af943c203b0bc10c8c4
Time: Mon Jan 30 09:03:14 2006
The CL last changed line 156 of file IntRect.h, which is stack frame 0.

Author: darin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ba351587780ae54f82ce5af943c203b0bc10c8c4
Time: Mon Jan 30 09:03:14 2006
The CL last changed line 163 of file IntRect.h, which is stack frame 1.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d73c319b1be14ce900c8ecc6d61b75be68f5f02c
Time: Mon Aug 31 19:11:38 2015
The CL last changed line 112 of file ObjectPainter.cpp, which is stack frame 2.

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/a734170517b9576bedce9feeddfe53473510c4e9
Time: Thu Dec 10 21:45:14 2015
The CL last changed line 254 of file ObjectPainter.cpp, which is stack frame 3.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d73c319b1be14ce900c8ecc6d61b75be68f5f02c
Time: Mon Aug 31 19:11:38 2015
The CL last changed line 25 of file InlinePainter.cpp, which is stack frame 4.

Author: chrishtr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7bbf28dbf37343355a80aa7cd33c6d4a90728b6a
Time: Sat Sep 20 20:40:40 2014
The CL last changed line 541 of file LayoutInline.cpp, which is stack frame 5.

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7cbfbcef3ed11feafc3f77c0225b73008abb6d85
Time: Fri Jan 15 02:14:03 2016
The CL last changed line 264 of file ObjectPainter.cpp, which is stack frame 6.

Suspected Project: chromium
======================

from the above find it tool information the changes made to the file "ObjectPainter.cpp" of frame 2&4 are more related to it.

wangxianzhu@ could you please look into this issue if it is related to your change,else please route this to an appropriate owner for this issue.

Thanks,

Comment 2 by wangxianzhu@chromium.org, Sep 27 2016

Status: WontFix (was: Assigned)
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by wangxianzhu@chromium.org, Dec 14 2016

Cc: msrchandra@chromium.org wangxianzhu@chromium.org blink-reformat@chromium.org ifratric@google.com
 Issue 666058  has been merged into this issue.

Sign in to add a comment