Integer-overflow in blink::ListMarkerText::toCJKIdeographic |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4858055461437440 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::ListMarkerText::toCJKIdeographic blink::ListMarkerText::text blink::LayoutListMarker::updateContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=431480:431542 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zOKm_viIgdqkdMKJTxfvBEsm40scoB_ql7DT5PaoevZ9cHn_6db8lTNwhbGsFHzRGRaZy5-hc4AMHVSyAusZZitr1qn3j4ZLnWHn3ZxGSp7bWCg8zl96aHABvI0siuECj6SgILWGCeABEM8bBvD1saipNWA?testcase_id=4858055461437440 <style> #htmlvar00009 { border-bottom-left-radius: -1px 1px; list-style-type: cjk-ideographic;</style> <script> function jsfuzzer() { htmlvar00009.start = 2147483648; } </script> <body onload=jsfuzzer()> <ol id="htmlvar00009" download="1ZVR{'tM1[-Y" focus="true"> <li> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2017
That's a comment-only CL, it doesn't change behavior.
,
Feb 1 2017
Using Code Search for the file, "ListMarkerText.cpp" assigning to the concern owner. @nasko -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Feb 1 2017
I am even in the OWNERS file for that directory. Assigning to esprehn@ for further triage.
,
Feb 1 2017
,
Feb 2 2017
Non-security int overflows in blink are considered WAI.
,
Jul 14 2017
ClusterFuzz testcase 4858055461437440 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by msrchandra@chromium.org
, Nov 14 2016Labels: Test-Predator-Wrong-CLs
Owner: thakis@chromium.org
Status: Assigned (was: Untriaged)