Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unable to find the possible suspect using CL and Find it.
Using Code Search for the file, "StringToNumber.cpp" assigning to the concern owner.
Suspecting the Commit# 
https://chromium.googlesource.com/chromium/src/+/7dc7c0fc073b84f3050726b52ceec1bbcb304ba3

@esprehn -- Could you please look into the issue, kindly re-assign if this is not related to your change.
Thank You.

There is overflow protection in there...

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/wtf/text/StringToNumber.cpp?q=StringToNumber.cpp&sq=package:chromium&l=73

yutak@ Got ideas what's wrong with it?

OK, sounds like this code has an issue with inputs like INT_MIN. For base 10,
it still gives the correct answer, even though an integer overflow has occurred.
(For base 16, it doesn't give a correct answer.)

It's a bit tricky but let me try to fix this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/957b5b3085eeae5a6fd6779d62feb90cc2515ad2

commit 957b5b3085eeae5a6fd6779d62feb90cc2515ad2
Author: yutak <yutak@chromium.org>
Date: Fri Dec 09 09:53:17 2016

StringToNumber: Fix integer overflow on parsing INT_MIN.

This patch adjusts the algorithm of toIntegralType(), which parses an integer
value out of a string. Previously, toIntegralType() used a positive number
as an accumulator regardless of whether we had seen the negative sign or not,
and it inverted the accumulator value if there had been a negative sign. This
causes an integer overflow when INT_MIN is specified as the source string,
because the absolute value of INT_MIN is one larger than that of INT_MAX.

This patch fixes this issue by accumulating a negative value if the result
will be negative. Also, the detection algorithm of overflows is updated so
that it can detect overflows correctly in every possible case (it used to have
a small bug that the function fails to parse INT_MIN in base 16).

Additionally, unit tests are added.

BUG= 665110 

Review-Url: https://codereview.chromium.org/2563643002
Cr-Commit-Position: refs/heads/master@{#437508}

[modify] https://crrev.com/957b5b3085eeae5a6fd6779d62feb90cc2515ad2/third_party/WebKit/Source/wtf/BUILD.gn
[modify] https://crrev.com/957b5b3085eeae5a6fd6779d62feb90cc2515ad2/third_party/WebKit/Source/wtf/text/StringToNumber.cpp
[add] https://crrev.com/957b5b3085eeae5a6fd6779d62feb90cc2515ad2/third_party/WebKit/Source/wtf/text/StringToNumberTest.cpp

 Issue 661640  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4949181631561728

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  int WTF::toIntegralType<int, unsigned char>
  blink::HTMLHRElement::collectStyleForPresentationAttribute
  blink::computePresentationAttributeStyle
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Z1oGTJEJCdamsdcj1GZyTAlwuq9pGS3_kbGeDqh_UPZ_waBWGSbyuO_SN_8xqlyG1q63yiSC-FEIq2VATUyeKz-PMn613bzIWvMHjC3RjAJvYNT6I4sP2mMeLmSPNEehFoyhnKbrXogy0QIsowjo28REq6w?testcase_id=4949181631561728
<hr size="-2147483648">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4949181631561728 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.