Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5118587906031616 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> toInt blink::HTMLLIElement::parseValue Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96BKgocO0m08m0FrWttQHthXfjzTW-w8NfgupsYLkxiGyFptXpBC0go4ND7JFEKoa39oh_bGNE8aNTrwgXnZnV49-Vz30oy-qrwZF2Tli0E6699ezGja-pkLLbyqmXLwD1ocAbynD31br5i4eB6mwtNNIhj4A?testcase_id=5118587906031616 <li value=-2147483648> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 10 2016
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/be05dcac5f912363b08b387fa798069656eec8aa commit be05dcac5f912363b08b387fa798069656eec8aa Author: rob.buis <rob.buis@samsung.com> Date: Tue Nov 15 05:04:31 2016 Use parseHTMLInteger in HTMLLIElement Use parseHTMLInteger in HTMLLIElement instead of toInt to avoid problems when handling -2147483648. BUG= 657448 Review-Url: https://codereview.chromium.org/2490283002 Cr-Commit-Position: refs/heads/master@{#432106} [add] https://crrev.com/be05dcac5f912363b08b387fa798069656eec8aa/third_party/WebKit/LayoutTests/fast/lists/li-minimum-long-value-expected.html [add] https://crrev.com/be05dcac5f912363b08b387fa798069656eec8aa/third_party/WebKit/LayoutTests/fast/lists/li-minimum-long-value.html [modify] https://crrev.com/be05dcac5f912363b08b387fa798069656eec8aa/third_party/WebKit/Source/core/html/HTMLLIElement.cpp
,
Nov 15 2016
,
Nov 18 2016
ClusterFuzz has detected this issue as fixed in range 431896:432151. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5118587906031616 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> toInt blink::HTMLLIElement::parseValue Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=431896:432151 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96BKgocO0m08m0FrWttQHthXfjzTW-w8NfgupsYLkxiGyFptXpBC0go4ND7JFEKoa39oh_bGNE8aNTrwgXnZnV49-Vz30oy-qrwZF2Tli0E6699ezGja-pkLLbyqmXLwD1ocAbynD31br5i4eB6mwtNNIhj4A?testcase_id=5118587906031616 <li value=-2147483648> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by dtapu...@chromium.org
, Nov 10 2016