Integer-overflow in blink::IntRect::inflateX |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6353961885106176 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::IntRect::inflateX inflate paintComplexOutline Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94QEeV4iII3F_ci4F56JiVovULagFedMb1DK9CQySkVxGkl_Tc0Zp9WPTfGJ-86upPffWWTeRP-3ZObD8_ifYkRrWkmVCKviMsTioUuLZOVoYMCYA3VEGYXX-IYsmtgDbM1tm14WqWtHiVSGt4EJcbjgL5r7g?testcase_id=6353961885106176 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 10 2017
I'm not really sure what to fix here, the issue appears to have been there before my patch? Also, the testcase doesn't actually reproduce the callstack described in the report. This looks invalid to me.
,
Mar 13 2017
,
Mar 21 2017
,
Mar 31 2017
Could someone please take a look and close if it is not feasible?. Thank you
,
Mar 31 2017
For now we don't check for overflow of integer geometry. This doesn't have any security issue.
,
Mar 31 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by msrchandra@chromium.org
, Feb 20 2017Labels: Test-Predator-Wrong
Owner: ka...@opera.com
Status: Assigned (was: Untriaged)