New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688304 link

Starred by 1 user
Status: WontFix
Owner:
skyos...@chromium.org
Closed: Mar 2017
Cc:
ifratric@google.com
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::maxX

Project Member Reported by ClusterFuzz, Feb 3 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5019781658050560

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::maxX
  blink::FrameView::maybeRecordLoadReason
  base::internal::RunMixin<base::Callback<void
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97xDC0Frmi12t4snVjPaND2iNBIV3OtDARDf3enhALJu0LHB-8kMyxEmMPO1n-504JyjQbiGuck0m7af4uBJ37naXO6j25HDyVbi6lzuZwITzRA8nFJuknQUJ7W94ZZXXAWcDlWOGvpaS6UqldTni5LNxOrPQ?testcase_id=5019781658050560


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkent@chromium.org, Feb 3 2017

Components: Blink>Layout

Comment 2 by msrchandra@chromium.org, Feb 3 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: szager@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: szager
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3520351e84d8d16b06d3f09a109f1296ec620c23
Time: Tue Dec 13 04:17:07 2016
Files IntersectionObserver.cpp, IntersectionObserverController.cpp are changed in this cl (and is part of stack frame #3, "blink::IntersectionObserver::deliver")
Minimum distance from crash line to modified line: 8. (file: IntersectionObserverController.cpp, crashed on: 86, modified: 94). 

Author: haraken
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7b372233ed3d9859e1204aa3a9af7f5f9bb32a56
Time: Mon Dec 12 04:30:37 2016
File IntersectionObserverController.cpp is changed in this cl (and is part of stack frame #4, "blink::IntersectionObserverController::deliverIntersectionObservations")
Minimum distance from crash line to modified line: 12. (file: IntersectionObserverController.cpp, crashed on: 86, modified: 98). 

Author: szager
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/389cf84d79f9dd6d2d7ad49cce34e9e38b578804
Time: Tue Dec 13 03:49:55 2016
File IntersectionObserverController.cpp is changed in this cl (and is part of stack frame #4, "blink::IntersectionObserverController::deliverIntersectionObservations")
Minimum distance from crash line to modified line: 15. (file: IntersectionObserverController.cpp, crashed on: 68, modified: 53).

@szager -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 3 by szager@chromium.org, Feb 3 2017

Owner: skyos...@chromium.org
This is in the frame-throttling code; reassigning to Sami.
Project Member

Comment 4 by ClusterFuzz, Mar 5 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5019781658050560 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment