New issue
Advanced search Search tips

Issue 656541 link

Starred by 2 users
Status: WontFix
Owner:
bokan@chromium.org
Closed: Nov 2016
Cc:
ajha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::ScrollableArea::pageStep

Project Member Reported by ClusterFuzz, Oct 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5637248978780160

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ScrollableArea::pageStep
  blink::ScrollableArea::scrollStep
  blink::ScrollableArea::userScroll
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=378578:378682

Minimized Testcase (1.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94LGNk5wGip_N-R5aq9gnlkJJdVMCC-sJ6wA9n79fXSTV5rXKoD_cCajfZ67wGSfExDy1c-ahgTy6X59W_IY-mnk8E4N4fr8MuOB-tVMnPA6AJ28t7062rlGhv7uj5ISjHxKtiSgc60kZ9ovGRLJKZQpP7hfQ?testcase_id=5637248978780160

Additional requirements: Requires Gestures

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Oct 17 2016

Cc: ajha@chromium.org
Components: Blink>Scroll
Labels: Findit-for-crash M-56 Te-Logged
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: bokan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f0713e7d9da9b89301ae0ae1228d51fbb2e17afc
Time: Wed Mar 02 01:14:36 2016
Lines 160-169 of file ScrollableArea.cpp which potentially caused crash are changed in this cl (frame #2, "blink::ScrollableArea::userScroll").
Minimum distance from crash line to modified line: 0. (file: ScrollableArea.cpp, crashed on: 160, modified: 160).

Suspected Project: chromium
Suspected Component: Blink>Scroll
====================================================

Based on the above Find It result, bokan@: Could you please take a look at this issue and help in further investigation.

Thank you!
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by bokan@chromium.org, Nov 28 2016

Status: WontFix (was: Assigned)
The testcase have overflowing ints so this is WontFix (see  issue 634803 )
Project Member

Comment 4 by ClusterFuzz, Feb 24 2017 

ClusterFuzz has detected this issue as fixed in range 452556:452607.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5637248978780160

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ScrollableArea::pageStep
  blink::ScrollableArea::scrollStep
  blink::ScrollableArea::userScroll
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=378578:378682
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=452556:452607

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LGNk5wGip_N-R5aq9gnlkJJdVMCC-sJ6wA9n79fXSTV5rXKoD_cCajfZ67wGSfExDy1c-ahgTy6X59W_IY-mnk8E4N4fr8MuOB-tVMnPA6AJ28t7062rlGhv7uj5ISjHxKtiSgc60kZ9ovGRLJKZQpP7hfQ?testcase_id=5637248978780160


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment