Integer-overflow in blink::IntRect::uniteEvenIfEmpty |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5733794431893504 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::uniteEvenIfEmpty blink::LayoutObject::absoluteBoundingBoxRect blink::ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=421629:421705 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95F3sovOM71Mh_S_FeoI4oRZix58zBApmdnEmd7Ml-yQlLHJHnmCXD5sKEe8iw4HA99z5PfyaSwzjOC1vNnJ-9N2RnGAoGenfPT_Cz535FRh1A_WwH_02j97rickfsgoGvoP4Jixdp6-40jX9xVS8QxvkHpZB-3tdMB0OxpbSPUbrrs9TNTXNAxuHkpGn3P-Q_VlnPNNGDXjUzMcfY6k5eshZCh-M0aBRwirM9-iOic4dsW5NZ3s1f2edRhah5rnxWwW-WePtyXcG_MwiFBZRGV1gZvmUU6uoT0EnO__uUOts7j2alTuK3DanjJVzgwJNi5v0bHKw8WTFpwuMefHZF-5cYBE5A-Zc5o58OOXuDwNWDXFw0?testcase_id=5733794431893504 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 1 2017
Predator and CL did not provide any possible suspects. Using Code Search for the file, "IntRect.cpp" assigning to the concern owner. suspecting Commit# https://chromium.googlesource.com/chromium/src/+/ba351587780ae54f82ce5af943c203b0bc10c8c4 @darin -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Feb 1 2017
,
Feb 8 2017
Rob could you triage this to someone on your team, given the ScrollingCoordinator stack trace point?
,
Feb 8 2017
,
Feb 10 2017
,
Feb 10 2017
Close it as wontfix after discussing with pdr@ in the CL https://codereview.chromium.org/2685783008/ |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dtapu...@chromium.org
, Feb 1 2017