Integer-overflow in blink::HTMLInputElement::stepDown |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5155157170192384 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::HTMLInputElement::stepDown stepDownMethod blink::HTMLInputElementV8Internal::stepDownMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94L1ktBFkiE-h-BsadhfxDVuP1psH7vLrNZnbhly3GIvI8R-iWgd0xmA6onluQzHKzDDRLigOJ7GOKF1myGqm3fRtm91OemWxqsMpFi6FrwrqPSNeY-wOuS_mLDlhHtzaNMMK3m65t18eKsGCQlRWYs-sU7cQ?testcase_id=5155157170192384 <script> function jsfuzzer() { htmlvar00004.stepDown(2147483648); } </script> <body onload=jsfuzzer()> <input id="htmlvar00004" value="ydjHPezu4]t"k"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 24 2016
,
Oct 26 2016
,
Oct 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/28c02d6167e1c545716f433dc84e3656da28c816 commit 28c02d6167e1c545716f433dc84e3656da28c816 Author: tkent <tkent@chromium.org> Date: Wed Oct 26 14:05:43 2016 INPUT element: Fix integer overflow in input.stepDown(). -n doesn't work for n=-2147483648. BUG= 658717 Review-Url: https://codereview.chromium.org/2452743004 Cr-Commit-Position: refs/heads/master@{#427681} [modify] https://crrev.com/28c02d6167e1c545716f433dc84e3656da28c816/third_party/WebKit/LayoutTests/fast/forms/number/number-stepup-stepdown-expected.txt [modify] https://crrev.com/28c02d6167e1c545716f433dc84e3656da28c816/third_party/WebKit/LayoutTests/fast/forms/number/number-stepup-stepdown.html [modify] https://crrev.com/28c02d6167e1c545716f433dc84e3656da28c816/third_party/WebKit/Source/core/html/HTMLInputElement.cpp [modify] https://crrev.com/28c02d6167e1c545716f433dc84e3656da28c816/third_party/WebKit/Source/core/html/forms/InputType.cpp [modify] https://crrev.com/28c02d6167e1c545716f433dc84e3656da28c816/third_party/WebKit/Source/core/html/forms/InputType.h
,
Oct 26 2016
,
Oct 28 2016
ClusterFuzz has detected this issue as fixed in range 427578:427883. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5155157170192384 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::HTMLInputElement::stepDown stepDownMethod blink::HTMLInputElementV8Internal::stepDownMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=427578:427883 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94L1ktBFkiE-h-BsadhfxDVuP1psH7vLrNZnbhly3GIvI8R-iWgd0xmA6onluQzHKzDDRLigOJ7GOKF1myGqm3fRtm91OemWxqsMpFi6FrwrqPSNeY-wOuS_mLDlhHtzaNMMK3m65t18eKsGCQlRWYs-sU7cQ?testcase_id=5155157170192384 <script> function jsfuzzer() { htmlvar00004.stepDown(2147483648); } </script> <body onload=jsfuzzer()> <input id="htmlvar00004" value="ydjHPezu4]t"k"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Oct 24 2016Labels: M-55 Te-Logged
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)