Perhaps more fallout from https://chromium.googlesource.com/chromium/src/+/bc976225e037d9f9ed5cf135bcd16a1187a30d42 ?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Indeed looks like fallout from https://chromium-review.googlesource.com/c/chromium/src/+/900044

Issue 808954 has been merged into this issue.

 Issue 808852  has been merged into this issue.

 Issue 808790  has been merged into this issue.

 Issue 808788  has been merged into this issue.

 Issue 808784  has been merged into this issue.

 Issue 808781  has been merged into this issue.

 Issue 808774  has been merged into this issue.

 Issue 808768  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0dd7c6ae3b1ec83b34931cfcb05a60d4a86e103c

commit 0dd7c6ae3b1ec83b34931cfcb05a60d4a86e103c
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Mon Feb 05 22:29:24 2018

Revert "[PE] Recompute overflow for tables"

This reverts commit bc976225e037d9f9ed5cf135bcd16a1187a30d42.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> [PE] Recompute overflow for tables
>
> A previous refactor accidentally omitted delegation to the
> parent class when recomputing overflow for LayoutTable.
>
> Bug:807900
>
> Change-Id: I68c415de59162a29b642ad697e7b8ab8dc19f530
> Reviewed-on: https://chromium-review.googlesource.com/900044
> Reviewed-by: Stephen Chenney <schenney@chromium.org>
> Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#534175}

TBR=chrishtr@chromium.org,schenney@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  807900 , 808876 
Change-Id: I9a0b6ca4dd8ae3d80990b754b997aa9cd4beb0c5
Reviewed-on: https://chromium-review.googlesource.com/902502
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534510}
[modify] https://crrev.com/0dd7c6ae3b1ec83b34931cfcb05a60d4a86e103c/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/0dd7c6ae3b1ec83b34931cfcb05a60d4a86e103c/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp

Users experienced this crash on the following builds:

Win Canary 66.0.3339.0 -  3.01 CPM, 57 reports, 51 clients (signature blink::LayoutTableSection::RecalcOverflowAfterStyleChange)
Mac Canary 66.0.3340.0 -  4.18 CPM, 6 reports, 6 clients (signature blink::LayoutTableSection::RecalcOverflowAfterStyleChange)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

ClusterFuzz testcase 4653400235704320 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 534497:534516.

Detailed report: https://clusterfuzz.com/testcase?key=5123474306367488

Fuzzer: attekett_dom_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7fbf97e8ab40
Crash State:
  Bad-cast to blink::LayoutTableRow from blink::LayoutTableCell
  blink::ToLayoutTableRow
  blink::LayoutTableCell::RowIndex
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=534174:534200
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=534497:534516

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5123474306367488

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/242dbc9f7b63cd54f90d3559cc08040198f7a9c8

commit 242dbc9f7b63cd54f90d3559cc08040198f7a9c8
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Tue Feb 06 20:37:40 2018

[PE] Re-land: Recompute overflow for tables

This is a re-land of commit bc976225e037d9f9ed5cf135bcd16a1187a30d42,
which had a type-casting bug due to failure to override child
overflow recursion. The new patch also includes a test adjustment
and DCHECK to avoid such security bugs.

Bug:  807900 , 808876 
Change-Id: I9210cf48b25ca255ceccd955fd4699e76620f90f
Reviewed-on: https://chromium-review.googlesource.com/902763
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534785}
[modify] https://crrev.com/242dbc9f7b63cd54f90d3559cc08040198f7a9c8/third_party/WebKit/Source/core/layout/LayoutBlock.cpp
[modify] https://crrev.com/242dbc9f7b63cd54f90d3559cc08040198f7a9c8/third_party/WebKit/Source/core/layout/LayoutBlock.h
[modify] https://crrev.com/242dbc9f7b63cd54f90d3559cc08040198f7a9c8/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/242dbc9f7b63cd54f90d3559cc08040198f7a9c8/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp

Issue 809139 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2179fe0f9290d36b73ffc46f4e57ba665acbc880

commit 2179fe0f9290d36b73ffc46f4e57ba665acbc880
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Thu Feb 08 23:20:40 2018

[PE] Re-land: Recompute overflow for tables

This is a re-land of commit bc976225e037d9f9ed5cf135bcd16a1187a30d42,
which had a type-casting bug due to failure to override child
overflow recursion. The new patch also includes a test adjustment
and DCHECK to avoid such security bugs.

TBR=chrishtr@chromium.org

(cherry picked from commit 242dbc9f7b63cd54f90d3559cc08040198f7a9c8)

Bug:  807900 , 808876 
Change-Id: I9210cf48b25ca255ceccd955fd4699e76620f90f
Reviewed-on: https://chromium-review.googlesource.com/902763
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#534785}
Reviewed-on: https://chromium-review.googlesource.com/910093
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#395}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/2179fe0f9290d36b73ffc46f4e57ba665acbc880/third_party/WebKit/Source/core/layout/LayoutBlock.cpp
[modify] https://crrev.com/2179fe0f9290d36b73ffc46f4e57ba665acbc880/third_party/WebKit/Source/core/layout/LayoutBlock.h
[modify] https://crrev.com/2179fe0f9290d36b73ffc46f4e57ba665acbc880/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/2179fe0f9290d36b73ffc46f4e57ba665acbc880/third_party/WebKit/Source/core/layout/LayoutTableTest.cpp

I'm afraid this was also found internally within the reward exclusion time window.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot