Issue metadata
Sign in to add a comment
|
Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5344036326211584 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> blink::parseHTMLInteger blink::Element::parseAttribute Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=423512:423881 Minimized Testcase (0.03 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96K4X71Ez_XYgtAdtm5dO9Pm4a0RSW71YnMsY9n45QEYAHW3APM30XTAhf5HzlE-tqvW-UT0HQ9x8ZV7-nUPhGR_ZHXcwObM0xnBQ0Mc_JjKT9nsVjCd4vA-VrKGwW3HBRHTjy33vFQakzSJWIk0CXHDpOEbA?testcase_id=5344036326211584 <pre tabindex=-2147483648> Issue manually filed by: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 10 2016
,
Oct 11 2016
,
Oct 12 2016
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cbfd866cbc7981e453dfd9afae669daa567b5cb2 commit cbfd866cbc7981e453dfd9afae669daa567b5cb2 Author: rob.buis <rob.buis@samsung.com> Date: Thu Oct 13 16:37:21 2016 Fix parseHTMLInteger In r423595 I made a change that caused toIntegralType to be called with input std::numeric_limits<int>::min which it can't handle because it relies on an intermediate integer to store the value. So inline the calculation and use an unsigned integer for the calculation, casting to int when returning. BUG= 654324 Review-Url: https://codereview.chromium.org/2411713002 Cr-Commit-Position: refs/heads/master@{#425055} [modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdioms.cpp [modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdioms.h [modify] https://crrev.com/cbfd866cbc7981e453dfd9afae669daa567b5cb2/third_party/WebKit/Source/core/html/parser/HTMLParserIdiomsTest.cpp
,
Oct 13 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Oct 10 2016Components: Blink>HTML
Labels: Findit-for-crash M-56 ToolsTestsFindItCorrectResult
Owner: rob.buis@chromium.org
Status: Assigned (was: Untriaged)