hiroshige: Can you please take a look? Thanks.

What is the context for assigning to me?
I'm not familiar with the code that appears in the stack trace.

Test runner only issue, assigning to mustaq@ who seems to have fixed stuff in this code.

Ella, could you please take a look?

the test refresh every 2 second, and add 2 touch points each time. 
It crash on EventSender::SendCurrentTouchEvent's DCHECK: touch_point_.size() reach  kTouchesLengthCap(16).
Is that expected?

Refreshing every two seconds in not a realistic layout test scenario.  But just for sake of preventing the buffer overflow, let's prevent adding touch points beyond kTouchesLengthCap.

Change the dcheck on https://cs.chromium.org/chromium/src/content/shell/test_runner/event_sender.cc?q=event_sender.cc&sq=package:chromium&l=2281

to be:

if (touches_.size() > WebTouchEvent::kTouchesLengthCap) {
  args->ThrowError();
  return;
}

(input crash in test runner, not layout related. moving to Blink>Infra)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f69b51b142b5285a4687074d6eb86908284bc84f

commit f69b51b142b5285a4687074d6eb86908284bc84f
Author: Ella Ge <eirage@chromium.org>
Date: Thu Sep 28 16:30:45 2017

Do not add touchpoint when reach kTouchesLengthCap

In this cl, we throw error in EventSender::AddTouchPoint
to prevent touch_point_.size() exceed kTouchesLengthCap.

Bug:  764921 
Change-Id: Ifbb8db421f1a523e91a845284656b17d6269bb40
Reviewed-on: https://chromium-review.googlesource.com/687809
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505047}
[modify] https://crrev.com/f69b51b142b5285a4687074d6eb86908284bc84f/content/shell/test_runner/event_sender.cc

ClusterFuzz has detected this issue as fixed in range 505032:505082.

Detailed report: https://clusterfuzz.com/testcase?key=6171791172304896

Fuzzer: inferno_layout_test_fuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Stack-buffer-overflow WRITE {*}
Crash Address: 0x18d5bd40
Crash State:
  test_runner::EventSender::SendCurrentTouchEvent
  test_runner::EventSenderBindings::TouchStart
  base::internal::Invoker<base::internal::BindState<bool
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=505032:505082

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6171791172304896

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6171791172304896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot