New issue
Advanced search Search tips

Issue 722019 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Jun 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Int-divide-by-zero in blink::LayoutMultiColumnSet::PageRemainingLogicalHeightForOffset

Project Member Reported by ClusterFuzz, May 13 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4704511791988736

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Int-divide-by-zero
Crash Address: 0x00000000
Crash State:
  blink::LayoutMultiColumnSet::PageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::PageRemainingLogicalHeightForOffset
  blink::LayoutBox::PageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=456190:456233

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4704511791988736


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, May 13 2017

Labels: M-60
Project Member

Comment 2 by sheriffbot@chromium.org, May 13 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, May 13 2017

Labels: Pri-1

Comment 4 by aarya@google.com, May 15 2017

Cc: mbarbe...@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-High Type-Bug
Divide by zero is not a security issue. We need to fix parsing signature in ClusterFuzz. Marty, can you fix it.
Project Member

Comment 5 by bugdroid1@chromium.org, May 15 2017 

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/clusterfuzz/+/5718568c459fb8c66bf3b78c46996c93687736a4

commit 5718568c459fb8c66bf3b78c46996c93687736a4
Author: Martin Barbella <mbarbella@chromium.org>
Date: Mon May 15 17:10:46 2017
Project Member

Comment 6 by bugdroid1@chromium.org, May 15 2017 

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/clusterfuzz/+/5718568c459fb8c66bf3b78c46996c93687736a4

commit 5718568c459fb8c66bf3b78c46996c93687736a4
Author: Martin Barbella <mbarbella@chromium.org>
Date: Mon May 15 17:10:46 2017

Comment 7 by ajha@chromium.org, May 22 2017 

mbarbella@: Could you please close the issue if there is no further work to be done here.

Note: Unable to access the detailed report link https://clusterfuzz.com/v2/testcase-detail/4704511791988736?noredirect=1 from C#0.

Comment 8 by ajha@chromium.org, May 23 2017

Cc: -mbarbe...@chromium.org
Owner: mbarbe...@chromium.org
Status: Assigned (was: Untriaged)
Just to update, M-60 gets branched in 2 days time(05/25) and would be good to have this or any Beta blocker resolved before branch point.

Assigning to Martin to close this if no further work to be done here.

Thanks in advance!

Note: M-60 will probably be promoted to Beta in first week of June.

Comment 9 by mbarbe...@chromium.org, May 23 2017

Labels: -ReleaseBlock-Beta -Security_Impact-Head -M-60
Owner: ----
Status: Untriaged (was: Assigned)
There's still a bug in chrome, my fix above was just for the issue in ClusterFuzz that caused it to be marked as a security issue. That said, this definitely doesn't need to be a release blocker. I should have removed that when I initially flipped the flags around.
Project Member

Comment 10 by ClusterFuzz, Jun 22 2017

Status: WontFix (was: Untriaged)
ClusterFuzz testcase 4704511791988736 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment