The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/540e20642a6ad79f5d6a64ff2d1399a9f155ec6a

commit 540e20642a6ad79f5d6a64ff2d1399a9f155ec6a
Author: Adrienne Walker <enne@chromium.org>
Date: Wed Aug 23 17:59:14 2017

Fix PaintShader serialization size overflow

If the number of colors requested was so large that multiplying into
bytse would overflow, it would still attempt to read them.  Fix this
by adding more checks.

Bug:  752758 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ibf8d5f068d50a9b473a9048efc24535f25074b48
Reviewed-on: https://chromium-review.googlesource.com/627025
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Commit-Queue: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496733}
[modify] https://crrev.com/540e20642a6ad79f5d6a64ff2d1399a9f155ec6a/cc/paint/paint_op_reader.cc

ClusterFuzz has detected this issue as fixed in range 496716:496775.

Detailed report: https://clusterfuzz.com/testcase?key=5682350813085696

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e9000047d3
Crash State:
  __cxxabiv1::failed_throw
  cc::PaintOpReader::Read
  cc::DrawRectOp::Deserialize
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=491858:491939
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=496716:496775

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5682350813085696

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5682350813085696 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.