New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 658715 link

Starred by 1 user
Status: WontFix
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Feb 2017
Cc:
nyerramilli@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::operator+

Project Member Reported by ClusterFuzz, Oct 24 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5031978716102656

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::operator+
  blink::LocalDOMWindow::resizeBy
  resizeByMethod
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027

Minimized Testcase (0.05 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv969cJebbYY8ujCS82RAHWV_ju07BaYY2QxHhcq27nm_Rr_a2OW3XXDWw3Bi2HfZiaFah6nX33xEY7sU1SsmSXX3gnhBvYKj6fFkryj_ewUiShI1I_Y_sARtKDsH1279azmNAulrCCjeda1aDjtlvF4PKULfuA?testcase_id=5031978716102656
<script>
 window.resizeBy(2147483647,-1); 
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Oct 31 2016

Cc: nyerramilli@chromium.org
Labels: findit-wrong M-55
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Providing Fidnit results for internal purpose:
--------------------------------------------------
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 141 of file IntSize.h, which is stack frame 0.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 1261 of file LocalDOMWindow.cpp, which is stack frame 1.

Suspected Project: chromium

using codesearch, seeing some recent changes to 'LocalDOMWindow.cpp' in https://chromium.googlesource.com/chromium/src/+/6a616686e564d5cac7d25b61070b5031a818df8d

mkwst@, could you please check the issue and help.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by ClusterFuzz, Feb 18 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5031978716102656 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment