Issue 704500 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	szager@chromium.org
Closed:	Mar 2017
Cc:	█ msrchandra@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Reproducible Clusterfuzz Stability-UndefinedBehaviorSanitizer M-58 Test-Predator-Correct-CLs

Integer-overflow in blink::cornerRect

Project Member Reported by ClusterFuzz, Mar 23 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5786599989444608

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::cornerRect
  blink::PaintLayerScrollableArea::resizerCornerRect
  blink::ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=446721:447186

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94z2ZIqPjBGfrTbB5GQDiL3Z3q-Cv-DY1627GvmqaSJ7zOQixdvaFB86-c86Y4oVwHAhf7KqU-fiN5WY3cQZOgsc6WsaPaFOVo1mNWirFVfjIeWi2zGnHx5kuivQfv8IgcfEKJ9JCztTmozjTc64Zqj7TKJr6rJE3wYrxQfi2qnx470Vv5hhoQ2hQ8AS_onYCn-T73Psw8tJKemuNownKjJsKvVhaqo5Pub0YUR33SGvLpSOUf_RJdMXO05pUB73BRnwFHkvB8arRhZvm3SbhuqEHvSCIYEfrX6DOVFdGWU_NQ8752AiSttBUtaycV4qi0WEut2biBGQ0E7B1Hgamj9bMKzUQpB5wAAhCgETFSeoORVRZDS9jreW8tS1LEqU3xV4MzvtE199h6Qg7EEpyB8VQa42g?testcase_id=5786599989444608


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Mar 23 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-58
Owner: szager@chromium.org
Status: Assigned (was: Untriaged)

Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: szager
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/a84f6044bfe3bc52dde4c2cdddbbc92be1b56ab1
Time: Mon Jan 30 23:56:54 2017
Lines 195, 985-989 of file ScrollingCoordinator.cpp which potentially caused crash are changed in this cl (frame #2, "blink::ScrollingCoordinator::computeShouldHandleScrollGestureOnMainThreadRegion"; frame #3, "blink::ScrollingCoordinator::updateAfterCompositingChangeIfNeeded"). 

Files FrameView.cpp, PaintLayerScrollableArea.cpp are changed in this cl (and is part of stack frame #4, "blink::FrameView::updateLifecyclePhasesInternal")
Minimum distance from crash line to modified line: 0. (file: ScrollingCoordinator.cpp, crashed on: 195, modified: 195).

@szager -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by pdr@chromium.org, Mar 23 2017

Status: WontFix (was: Assigned)

Stefan and I looked at this and we do not think it is a security bug, nor a bug that would occur on real pages with non-planet-sized scrollers.

►

Issue 704500 link

Issue metadata

Integer-overflow in blink::cornerRect

Issue description

Comment 1 by msrchandra@chromium.org, Mar 23 2017

Comment 1 Deleted

Comment 2 by pdr@chromium.org, Mar 23 2017

Comment 2 Deleted

Sign in to add a comment