Integer-overflow in blink::LineWidth::WrapNextToShapeOutside |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6303469396033536 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::LineWidth::WrapNextToShapeOutside blink::LineWidth::FitBelowFloats blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=379622:379730 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6303469396033536 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 6 2017
That CL renamed enums, it did not change behaviour. Please look further in history.
,
Oct 23 2017
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You.
,
Oct 25 2017
eae@, can you please look into this issue if possible? Thank you in-advance!
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/43a5cd79fe73e334515f0ef0a55dbf670f133923 commit 43a5cd79fe73e334515f0ef0a55dbf670f133923 Author: Emil A Eklund <eae@chromium.org> Date: Tue Feb 27 19:19:00 2018 Prevent overflow in LayoutUnit operator++ Bug: 772263 Test: Source/platform/LayoutUnitTest.cpp Change-Id: I470b0dd4ce654c777d178dba077e523d3748b926 Reviewed-on: https://chromium-review.googlesource.com/938850 Reviewed-by: Justin Schuh <jschuh@chromium.org> Commit-Queue: Emil A Eklund <eae@chromium.org> Cr-Commit-Position: refs/heads/master@{#539518} [modify] https://crrev.com/43a5cd79fe73e334515f0ef0a55dbf670f133923/third_party/WebKit/Source/platform/LayoutUnit.h [modify] https://crrev.com/43a5cd79fe73e334515f0ef0a55dbf670f133923/third_party/WebKit/Source/platform/LayoutUnitTest.cpp
,
Feb 27 2018
,
Feb 28 2018
ClusterFuzz has detected this issue as fixed in range 539517:539518. Detailed report: https://clusterfuzz.com/testcase?key=6303469396033536 Fuzzer: inferno_twister Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::LineWidth::WrapNextToShapeOutside blink::LineWidth::FitBelowFloats blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=379622:379730 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=539517:539518 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6303469396033536 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2018
ClusterFuzz testcase 6303469396033536 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by pnangunoori@chromium.org
, Oct 6 2017Components: Blink>Layout
Labels: M-62 Test-Predator-Correct
Owner: danakj@chromium.org
Status: Assigned (was: Untriaged)