New issue
Advanced search Search tips

Issue 918389 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
ifratric@google.com
kkaluri@chromium.org
dgro...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Integer-overflow in blink::TableLayoutAlgorithmAuto::ShrinkColumnWidth

Project Member Reported by ClusterFuzz, Jan 1 
Detailed report: https://clusterfuzz.com/testcase?key=5403193860947968

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::TableLayoutAlgorithmAuto::ShrinkColumnWidth
  blink::TableLayoutAlgorithmAuto::UpdateLayout
  blink::LayoutTable::UpdateLayout
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5403193860947968

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

Comment 1 by kkaluri@chromium.org, Jan 3

Cc: kkaluri@chromium.org
Labels: M-72 Test-Predator-Wrong
Owner: dtapu...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "table_layout_algorithm_auto.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/86538ae95c8a83a58b74577954f088934240a579

dtapuska@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 2 by dtapu...@chromium.org, Jan 7

Components: Blink>Layout>Table
Owner: ----
Status: Untriaged (was: Assigned)
Looking at where the overflow is this isn't caused by my change. Over to the layout team to triage.

Comment 3 by kkaluri@chromium.org, Jan 8

Labels: CF-NeedsTriage
Could someone from layout team look into the issue.

Thank You...

Comment 4 by dgro...@chromium.org, Jan 8

Labels: -Pri-2 -CF-NeedsTriage Pri-3
Status: Available (was: Untriaged)
<style>
.class2 { -webkit-mask-repeat-y: inherit; -webkit-appearance: textarea;</style>
<table>
<colgroup class="class2"7+">ZAr\KavFE+Oq!p<col valign="middle" width="1073741824"</col>

table_layout_algorithm_auto.cc:890:30: runtime error: signed integer overflow: -33553420 * 33554428 cannot be represented in type 'int'

Sign in to add a comment