New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 664718 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
ifratric@google.com
msrchandra@chromium.org
esprehn@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::ListMarkerText::toCJKIdeographic

Project Member Reported by ClusterFuzz, Nov 12 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4858055461437440

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ListMarkerText::toCJKIdeographic
  blink::ListMarkerText::text
  blink::LayoutListMarker::updateContent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=431480:431542

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96zOKm_viIgdqkdMKJTxfvBEsm40scoB_ql7DT5PaoevZ9cHn_6db8lTNwhbGsFHzRGRaZy5-hc4AMHVSyAusZZitr1qn3j4ZLnWHn3ZxGSp7bWCg8zl96aHABvI0siuECj6SgILWGCeABEM8bBvD1saipNWA?testcase_id=4858055461437440
<style>
#htmlvar00009 { border-bottom-left-radius: -1px 1px; list-style-type: cjk-ideographic;</style>
<script>
function jsfuzzer() {
 htmlvar00009.start = 2147483648; 
}
</script>
<body onload=jsfuzzer()>
<ol id="htmlvar00009" download="1ZVR{'tM1[-Y" focus="true">
<li>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Nov 14 2016

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong-CLs
Owner: thakis@chromium.org
Status: Assigned (was: Untriaged)
Unable to find the possible suspect from Find it and CL.
Assigning to the concern owner using Code Search for the file, "ListMarkerText.cpp"

Suspect Commit# 24b708f4d808c0bcd62a0bf491516571f0f114db
Suspect Review URL# https://codereview.chromium.org/2400333003

@thakis -- Could you please look into the issue, kindly re-assign if not related to your changes.
Thank You.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by thakis@chromium.org, Jan 25 2017

Owner: msrchandra@chromium.org
Status: Untriaged (was: Assigned)
That's a comment-only CL, it doesn't change behavior.

Comment 4 by msrchandra@chromium.org, Feb 1 2017

Components: Blink>Layout
Owner: nasko@chromium.org
Status: Assigned (was: Untriaged)
Using Code Search for the file, "ListMarkerText.cpp" assigning to the concern owner.

@nasko -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 5 by nasko@chromium.org, Feb 1 2017

Owner: esprehn@chromium.org
Status: Untriaged (was: Assigned)
I am even in the OWNERS file for that directory. Assigning to esprehn@ for further triage.

Comment 6 by esprehn@chromium.org, Feb 1 2017

Cc: esprehn@chromium.org e...@chromium.org
Owner: ----

Comment 7 by e...@chromium.org, Feb 2 2017

Status: WontFix (was: Untriaged)
Non-security int overflows in blink are considered WAI.
Project Member

Comment 8 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 4858055461437440 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment