Issue metadata
Sign in to add a comment
|
Integer-overflow in int WTF::toIntegralType<int, unsigned char> |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6501609522855936 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> adjustedTabIndex nextElementWithGreaterTabIndex Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=429962:430084 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94kGQmWA0ZwSRn6g7O75QGKqIWLMI1PaCNmPzXynJCHt3cC-BAIUIpxbe21lI2tLg_BHQTWor3kCSxIB6wdnhtnwrb-oQprNlx72dmnwl3Snmuo-zOf_JH7KgVCFAfnRNcBxohNHRUAawENx3t1aGl43_J9aYQtD1MCMlcuDFgA4DCfVgs?testcase_id=6501609522855936 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 9 2016
ClusterFuzz has detected this issue as fixed in range 430550:430572. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6501609522855936 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: int WTF::toIntegralType<int, unsigned char> adjustedTabIndex nextElementWithGreaterTabIndex Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=429962:430084 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=430550:430572 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94kGQmWA0ZwSRn6g7O75QGKqIWLMI1PaCNmPzXynJCHt3cC-BAIUIpxbe21lI2tLg_BHQTWor3kCSxIB6wdnhtnwrb-oQprNlx72dmnwl3Snmuo-zOf_JH7KgVCFAfnRNcBxohNHRUAawENx3t1aGl43_J9aYQtD1MCMlcuDFgA4DCfVgs?testcase_id=6501609522855936 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 9 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/93bc2cfbf5ff5d076a06bb599595f256cf47b208 commit 93bc2cfbf5ff5d076a06bb599595f256cf47b208 Author: rob.buis <rob.buis@samsung.com> Date: Thu Nov 10 00:44:40 2016 Make getIntegralAttribute use parseHTMLInteger Make getIntegralAttribute use parseHTMLInteger since AtomicString::toInt can't handle -2147483648 and it is less spec conformant on whitespace handling. BUG= 662659 Review-Url: https://codereview.chromium.org/2486793002 Cr-Commit-Position: refs/heads/master@{#431110} [modify] https://crrev.com/93bc2cfbf5ff5d076a06bb599595f256cf47b208/third_party/WebKit/LayoutTests/imported/wpt/html/dom/reflection-embedded-expected.txt [modify] https://crrev.com/93bc2cfbf5ff5d076a06bb599595f256cf47b208/third_party/WebKit/LayoutTests/imported/wpt/html/dom/reflection-grouping-expected.txt [modify] https://crrev.com/93bc2cfbf5ff5d076a06bb599595f256cf47b208/third_party/WebKit/Source/core/dom/Element.cpp
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Nov 7 2016Labels: -Type-Bug M-56 Test-Predator-Correct-CLs Type-Bug-Regression
Owner: rob.buis@chromium.org
Status: Assigned (was: Untriaged)