New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 743127 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Apr 2018
Cc:
msten...@opera.com
ifratric@google.com
msrchandra@chromium.org
e...@chromium.org
dgro...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Integer-overflow in blink::LayoutTableSection::DistributeRemainingExtraLogicalHeight

Project Member Reported by ClusterFuzz, Jul 14 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4792057312051200

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutTableSection::DistributeRemainingExtraLogicalHeight
  blink::LayoutTableSection::DistributeExtraLogicalHeightToRows
  blink::LayoutTable::DistributeExtraLogicalHeight
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=425398:425442

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4792057312051200


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Jul 19 2017

Cc: msrchandra@chromium.org
Components: Blink>Layout
Labels: M-61 Test-Predator-Correct-CLs
Owner: msten...@opera.com
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7a651c67dd9441867ff84657bd13e97df69bbe3f
Time: Fri Oct 14 19:24:22 2016
Lines 701-705 of file LayoutTable.cpp which potentially caused crash are changed in this cl (frame #3, "blink::LayoutTable::GetLayout").
Minimum distance from crash line to modified line: 0. (file: LayoutTable.cpp, crashed on: 701, modified: 701).

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by msten...@opera.com, Jul 19 2017

Cc: msten...@opera.com e...@chromium.org
Status: Available (was: Assigned)
I don't feel responsible for this. Besides, are we really supposed to handle non-security integer overflows?
Project Member

Comment 3 by ClusterFuzz, Oct 1 2017

Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 4 by msten...@opera.com, Oct 12 2017

Owner: ----

Comment 5 by msten...@opera.com, Oct 12 2017

Status: Untriaged (was: Available)

Comment 6 by pnangunoori@chromium.org, Oct 13 2017

Labels: -Test-Predator-Correct-CLs -M-61 M-62 Test-Predator-Wrong-CLs CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

Comment 7 by e...@chromium.org, Oct 13 2017

Components: -Blink>Layout Blink>Layout>Table
Labels: -Pri-2 Pri-3
Status: Available (was: Untriaged)

Comment 8 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Project Member

Comment 9 by ClusterFuzz, Apr 18 2018 

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=4792057312051200

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::LayoutTableSection::DistributeRemainingExtraLogicalHeight
  blink::LayoutTableSection::DistributeExtraLogicalHeightToRows
  blink::LayoutTable::DistributeExtraLogicalHeight
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=425398:425442
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4792057312051200

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by e...@chromium.org, Apr 18 2018

Status: WontFix (was: Available)

Comment 11 by brajkumar@chromium.org, Apr 25 2018 

 Issue 836662  has been merged into this issue.
Project Member

Comment 12 by ClusterFuzz, Apr 25 2018

Labels: Needs-Feedback
ClusterFuzz testcase 5126523389214720 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Comment 13 by brajkumar@chromium.org, Apr 26 2018 

 Issue 836772  has been merged into this issue.

Sign in to add a comment