Integer-overflow in blink::IntRect::inflateX |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4577232611966976 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::inflateX inflate blink::ObjectPainter::paintOutline Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96NcZmFpjAAStoAT1X4nnndLi5WYZNfNqdP6H2EEFmB51q3_mm6tzEE5Jdvar-zYGJpW_UEffmlEFgeVOfgwvVjBBekdrzBg6BhhK8hYsq54vA2sQNdzU4dOWCFFIYDLd65Ovk6V467hxWDfDtx0HxeF3JAZg?testcase_id=4577232611966976 Additional requirements: Requires Gestures Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 17 2016
Two notes: - we discussed ubsan int overflow issues in paint code like this recently with aarya@ team and noted we believe these to be safe and will close as WontFix. - the suspected CL was aimed at fixing these overflows, rather than causing; but, also, the ObjectPainter portion was subsequently reverted in https://codereview.chromium.org/2408373002/
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Oct 14 2016Labels: M-54 Te-Logged
Owner: wkorman@chromium.org
Status: Assigned (was: Untriaged)