Assigning to the concern owner from find it results --
The result is a list of CLs that change the crashed files. 

Author: ericwilligers
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f8be9028bcafa8722452bf454d11b2dc6304f0f8
Time: Fri Dec 09 04:15:47 2016
Lines 860-866 of file StyleBuilderConverter.cpp which potentially caused crash are changed in this cl (frame #0, "blink::StyleBuilderConverter::convertLineHeight").
Minimum distance from crash line to modified line: 0. (file: StyleBuilderConverter.cpp, crashed on: 860, modified: 860).

@ericwilligers -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

My change was to an unrelated part of StyleBuilderConverter.cpp

git blame StyleBuilderConverter.cpp suggests
https://chromium.googlesource.com/chromium/src/+/f8be9028bcafa8722452bf454d11b2dc6304f0f8
but that CL was intended to have no behavior changes.

To avoid this overflow, we might want to consider clamping to float in the following:


Length StyleBuilderConverter::convertLineHeight(StyleResolverState& state,
                                                const CSSValue& value) {
    if (primitiveValue.isNumber())
      return Length(primitiveValue.getDoubleValue() * 100.0, Percent);



Can the overflow also occur with percentages?
    if (primitiveValue.isPercentage()) {
      return Length(
          (state.style()->computedFontSize() * primitiveValue.getIntValue()) /
              100.0,
          Fixed);
    }

I don't understand why getIntValue() is being used instead of getFloatValue or getDoubleValue.

+ccameron, +thakis

I think ccameron noticed the ubsan float checks are filing bugs all over the place. I believe the CL that enabled these checks has been reverted, though I'm not sure what the plan is to fix all the systemic issues we have.

My changes in this regression set are only renames so not related.

Taking myself off ownership, sounds like ccameron@ is the right person to own this now.

Couldn't hurt to have a smaller minimised regression range.

ClusterFuzz has detected this issue as fixed in range 440242:440280.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6735025770070016

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::StyleBuilderConverter::convertLineHeight
  blink::StyleBuilderFunctions::applyValueCSSPropertyLineHeight
  void blink::StyleResolver::applyProperties<
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280

Minimized Testcase (0.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96X5M5q72_IMjoHbqSYSOKZIUsIur2RLeyS70eaUENizlk_f7EtETKkXRiQ1X5T4W4l3L7Z8-ShZQHYFPfP9kiaJ98pJPs6RNoEAA0i9_rCzWQ-FiKzTrbytBJ-H8E29Es3n_ZGUxPv0hIfcTiB-tcLQSNJTg?testcase_id=6735025770070016

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6735025770070016 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.