Suspected CLs	The result is a list of CLs that change the crashed files.

Author: eae
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/fdcbab80bc37108f6e03d6906f27831228690350
Time: Fri Oct 14 19:47:55 2016
Lines 390-395, 400-401, 408, 417-418, 425 of file SVGLengthContext.cpp which potentially caused crash are changed in this cl (frame #4, "blink::SVGLengthContext::convertValueFromCHSToUserUnits").

File ComputedStyle.cpp is changed in this cl (and is part of stack frame #3, "blink::ComputedStyle::font")
Minimum distance from crash line to modified line: 0. (file: SVGLengthContext.cpp, crashed on: 390, modified: 390).

Suspected Project: chromium
Suspected Component: Blink>SVG

eae@: Could you please take a look at this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ca7b171d703b3bc08e2a141901a1640a913ef95a

commit ca7b171d703b3bc08e2a141901a1640a913ef95a
Author: eae <eae@chromium.org>
Date: Sat Oct 22 06:54:07 2016

Fix null-check in SVGLengthContext::convertValueFromCHSToUserUnits

BUG= 657438 
R=pdr@chromium.org

Review-Url: https://chromiumcodereview.appspot.com/2445463002
Cr-Commit-Position: refs/heads/master@{#426987}

[modify] https://crrev.com/ca7b171d703b3bc08e2a141901a1640a913ef95a/third_party/WebKit/Source/core/svg/SVGLengthContext.cpp

ClusterFuzz has detected this issue as fixed in range 426978:426989.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4725186350022656

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000040
Crash State:
  blink::ComputedStyle::font
  blink::SVGLengthContext::convertValueFromCHSToUserUnits
  blink::SVGLengthContext::convertValueToUserUnits
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=425398:425442
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=426978:426989

Minimized Testcase (5.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-pimxfoIWlg1uZaRiIytDxrVT2f_Uecgt46RhAYa9tUtMK8iQsBqHOqkmIJO6esIwAaWzlsVEFf82wrmmdv11IMAKGM8SvbLEP8OURSzcHTEGTxDgJjfWzhzzHr2CaC1VY-1S9cz_qGG6JeZm7WihlwTFNA?testcase_id=4725186350022656

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c55d78bcbaff133a4e688eddc7573e0609cf190

commit 4c55d78bcbaff133a4e688eddc7573e0609cf190
Author: fs <fs@opera.com>
Date: Mon Oct 24 16:18:24 2016

Fix more null-checks in SVGLengthContext::convertValueFrom*

The following methods in SVGLengthContext:

 convertValueFromUserUnitsToCHS
 convertValueFromUserUnitsToEXS
 convertValueFromEXSToUserUnits

needs the same treatment as convertValueFromCHSToUserUnits got in
https://chromiumcodereview.appspot.com/2445463002.

R=pdr@chromium.org,eae@chromium.org
BUG= 657438 , 658585 , 658613 

Review-Url: https://codereview.chromium.org/2449433002
Cr-Commit-Position: refs/heads/master@{#427080}

[modify] https://crrev.com/4c55d78bcbaff133a4e688eddc7573e0609cf190/third_party/WebKit/Source/core/svg/SVGLengthContext.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot