Issue 694475 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	tkent@chromium.org
Closed:	Feb 2017
Cc:	ifratric@google.com █ msrchandra@chromium.org
Components:	Blink>DOM
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Reproducible Clusterfuzz Stability-UndefinedBehaviorSanitizer M-58 Test-Predator-Wrong-CLs

Integer-overflow in blink::Range::checkNodeWOffset

Project Member Reported by ClusterFuzz, Feb 21 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821894793789440

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::Range::checkNodeWOffset
  blink::DOMSelection::setBaseAndExtent
  setBaseAndExtentMethod
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=451698:451701

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94ZcYBwE5P0Ty6t-i4_pHxV6Ca79OhGfRVAwDvCo-cGIeQ-rE2i8Ru0kQR1HqLlEnaRuY18ZsM60rChaTT5Z4Ews70Cqc2QjhS3bWKFUczm6XQ1qa7K9as5p7JJLQSYFD_VgygR3OYZaMDXr6Goy15C8Eh0FyIHyxFW0gvq3H3Jggxx6OIP2RZuy4OjgKVCjC6yDL93eHnBLDnTn5ZxMYNm-n9CcjCy5tphDy_9VD7dLW9PoD9WgNlOlXC77d-XwJHWgshGLKprudk0CAHYJMM_wLC0qvTGwZk6UOTMSu3ryjqStlV65bKuntM0v11_cgXBfd-JJd2HFvpwNJCBB4-UH1xr7NC7sisDLtvsPTAaFaNAjGHlCEuG0NqmSnI6d4xFDpAFAC7A7-fD_mgK4iLVYyRooQ?testcase_id=4821894793789440


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Feb 21 2017

Cc: msrchandra@chromium.org
Components: Blink>DOM
Labels: Test-Predator-Wrong-CLs M-58
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)

Predator and CL did not provide any possible suspects.
Using Code Search for the file, "third_party/WebKit/Source/core/dom/Range.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/f5558c7534d4d34c0848d692432e7f0a919eb247

@tkent -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Project Member

Comment 2 by ClusterFuzz, Feb 22 2017

ClusterFuzz has detected this issue as fixed in range 451738:451747.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4821894793789440

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::Range::checkNodeWOffset
  blink::DOMSelection::setBaseAndExtent
  setBaseAndExtentMethod
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=451698:451701
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=451738:451747

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94ZcYBwE5P0Ty6t-i4_pHxV6Ca79OhGfRVAwDvCo-cGIeQ-rE2i8Ru0kQR1HqLlEnaRuY18ZsM60rChaTT5Z4Ews70Cqc2QjhS3bWKFUczm6XQ1qa7K9as5p7JJLQSYFD_VgygR3OYZaMDXr6Goy15C8Eh0FyIHyxFW0gvq3H3Jggxx6OIP2RZuy4OjgKVCjC6yDL93eHnBLDnTn5ZxMYNm-n9CcjCy5tphDy_9VD7dLW9PoD9WgNlOlXC77d-XwJHWgshGLKprudk0CAHYJMM_wLC0qvTGwZk6UOTMSu3ryjqStlV65bKuntM0v11_cgXBfd-JJd2HFvpwNJCBB4-UH1xr7NC7sisDLtvsPTAaFaNAjGHlCEuG0NqmSnI6d4xFDpAFAC7A7-fD_mgK4iLVYyRooQ?testcase_id=4821894793789440


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 3 by tkent@chromium.org, Feb 22 2017

Status: WontFix (was: Assigned)

►

Issue 694475 link

Issue metadata

Integer-overflow in blink::Range::checkNodeWOffset

Issue description

Comment 1 by msrchandra@chromium.org, Feb 21 2017

Comment 1 Deleted

Comment 2 by ClusterFuzz, Feb 22 2017

Comment 2 Deleted

Comment 3 by tkent@chromium.org, Feb 22 2017

Comment 3 Deleted

Sign in to add a comment