Integer-overflow in blink::TableLayoutAlgorithmAuto::layout |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5105522769657856 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::TableLayoutAlgorithmAuto::layout blink::LayoutTable::layout layoutFromRootObject Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=368790:368799 Minimized Testcase (0.21 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv960c9nddh9ibIN6mWVmsiPceJa3LgY7yqm1Acb5CVV5btQU9tnCmn2F20aFLxdLZKQFHRDuny0Y2rU8fZgmyss7JaeVESLlFt1swfb_QQsDmY4GZY1PdhBOZ5SFugF7dRwFpEjfSCO9KbKQ95r0eW3BZxXu-w?testcase_id=5105522769657856 <table style="-webkit-writing-mode: vertical-rl;"> <td colspan=2><style> @keyframes cfpulse2 { 0% { opacity: 0.9666;92); } 100% { opacity: 0.5737; } } * { animation-name: cfpulse99; height: calc(2147483521% + 20%); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 16 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 14 2017
ClusterFuzz testcase 5105522769657856 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
||||
►
Sign in to add a comment |
||||
Comment 1 by dtapu...@chromium.org
, Nov 16 2016