This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mtklein -- Can you take a look?

Yuqian, is this related to analytic AA?

ClusterFuzz has detected this issue as fixed in range 430262:430287.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5341648763748352

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 2
Crash Address: 0x61f000013460
Crash State:
  Break
  add
  RunBasedAdditiveBlitter::blitAntiH
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=430188:430192
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=430262:430287

Minimized Testcase (0.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kwAp1mNazLl3rkIRP1TJQhcDnieTtAijEru-KkKRllT-ARpDkVMT1LObpEMrbq6eZU-E26UkzAyIqZSLO0VKUelLWQ1YXd7dDqv_Le-BJgZ00Y4ZkBgdfuMp05fhpFsl1IoVr8i4o2bYaSOi3YxEAmWQBzQ?testcase_id=5341648763748352

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/671ce62f35049808378ee966da0e7b3acd0be30a

commit 671ce62f35049808378ee966da0e7b3acd0be30a
Author: liyuqian <liyuqian@google.com>
Date: Wed Nov 09 15:24:21 2016

Check negative overflow of quickSkFDot6Div

The following fuzz html reveals the bug in chromium content_shell

===html=begins===
<style>
*{min-width:4%;-webkit-border-radius:+256%;}
.CLASS11{text-decoration:rgba(128%,16129%,1%,0.0000000004656612317904879831274006762300773920593144339363789186) dotted blink;vertical-align:124px;-webkit-column-count:2147483655 !important;</style>
<h1 class="CLASS11 CLASS1">
>
B
<button>
<h4 class="CLASS11 CLASS12">
</h4>
<p>
c C
<table>
<caption class="CLASS11">
>
<ruby class="CLASS11 CLASS12">
</ruby>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x
===html===ends===

BUG= chromium:662905 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2482863004

Review-Url: https://codereview.chromium.org/2482863004

[modify] https://crrev.com/671ce62f35049808378ee966da0e7b3acd0be30a/src/core/SkAnalyticEdge.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3db0dba7ab7119602cb4e83b785044f6f44619b

commit d3db0dba7ab7119602cb4e83b785044f6f44619b
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Wed Nov 09 16:48:13 2016

Roll src/third_party/skia/ 68b7a52a0..671ce62f3 (3 commits).

https://skia.googlesource.com/skia.git/+log/68b7a52a0b93..671ce62f3504

$ git log 68b7a52a0..671ce62f3 --date=short --no-merges --format='%ad %ae %s'
2016-11-09 liyuqian Check negative overflow of quickSkFDot6Div
2016-11-09 borenet Fix assets.py args
2016-11-09 robertphillips Move GrRenderTargetPriv::maxWindowRectangles to GrRenderTargetContextPriv & GrRenderTargetProxy

BUG= 662905 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
TBR=scroggo@google.com

Review-Url: https://codereview.chromium.org/2490953002
Cr-Commit-Position: refs/heads/master@{#430950}

[modify] https://crrev.com/d3db0dba7ab7119602cb4e83b785044f6f44619b/DEPS

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot