Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c87921042aae8f5fa594f96b33635ef76cfd1028

commit c87921042aae8f5fa594f96b33635ef76cfd1028
Author: Calder Kitagawa <ckitagawa@chromium.org>
Date: Wed Jul 11 14:55:44 2018

[Zucchini] Fix under/overfow bug in DEX

This bug was found by the fuzzer. If a large int32 value is present for
a RelCode32 the result of mapping the location to its target results in
integer overflow or underflow as found by UBSAN.

In the particular example found by the fuzzer a value of 1292632068 is
read from the image. The result of |(1292632067 - 1) * kInstrUnitSize|,
where |kInstrUnitSize = 2| results in an overflow. This is only
possible for RelCode32 so we only need the fix there. The solution is
to check for overflow and if it occurs just to skip the reference. In
a regular DEX file these should be very rare if ever present.

I've tested the updated version on a subset of the corpus with no ill
effects.

Bug:  862095 
Change-Id: Ifedeeaf1ae7e72a147421ecb917ec1751f4bb8d4
Reviewed-on: https://chromium-review.googlesource.com/1131225
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574160}
[modify] https://crrev.com/c87921042aae8f5fa594f96b33635ef76cfd1028/components/zucchini/disassembler_dex.cc

ClusterFuzz has detected this issue as fixed in range 574159:574161.

Detailed report: https://clusterfuzz.com/testcase?key=6214099466452992

Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  zucchini::DisassemblerDex::MakeReadCodeToRelCode32
  unsigned int base::internal::Invoker<base::internal::BindState<zucchini::Disasse
  base::internal::Invoker<base::internal::BindState<zucchini::DisassemblerDex::Mak
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=572200:572205
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=574159:574161

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6214099466452992

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6214099466452992 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.