New issue
Advanced search Search tips

Issue 890480 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Oct 8
Cc:
hu...@vewd.com
ifratric@google.com
kkaluri@chromium.org
dtapu...@chromium.org
e...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Integer-overflow in blink::IntRect::UniteEvenIfEmpty

Project Member Reported by ClusterFuzz, Sep 28 
Detailed report: https://clusterfuzz.com/testcase?key=5619494008127488

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::IntRect::UniteEvenIfEmpty
  blink::Element::BoundsInViewport
  blink::WebElement::BoundsInViewport
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=549059:549062

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5619494008127488

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Sep 28

Components: Blink>DOM Platform
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by kkaluri@chromium.org, Oct 1

Cc: kkaluri@chromium.org
Labels: Test-Predator-Wrong M-70
Owner: dtapu...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "element.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/fa3a008e47c1318f3e4f442a8bdd2367cfed97fc

dtapuska@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 3 by dtapu...@chromium.org, Oct 2

Components: -Platform -Blink>DOM Blink>Layout
Owner: ----
Status: Untriaged (was: Assigned)
This is an overflow in the calculation of the height added to the offset.

Passing to the layout team since this hasn't changed in a while (and the regression range is when the blink code got renamed so perhaps this was previously accepted as a known issue.

Comment 4 by kkaluri@chromium.org, Oct 3

Labels: CF-NeedsTriage
Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from Dev team to look in to this issue.

Thanks!

Comment 5 by e...@chromium.org, Oct 8

Status: WontFix (was: Untriaged)
Non security numeric overflows are considered WontFix.
Project Member

Comment 6 by ClusterFuzz, Oct 15

Labels: Needs-Feedback
ClusterFuzz testcase 5619494008127488 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Comment 7 by hu...@vewd.com, Dec 10

Cc: e...@chromium.org hu...@vewd.com dtapu...@chromium.org
 Issue 906322  has been merged into this issue.

Sign in to add a comment