Integer-overflow in blink::TableLayoutAlgorithmAuto::ShrinkColumnWidth |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5403193860947968 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: blink::TableLayoutAlgorithmAuto::ShrinkColumnWidth blink::TableLayoutAlgorithmAuto::UpdateLayout blink::LayoutTable::UpdateLayout Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5403193860947968 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 7
Looking at where the overflow is this isn't caused by my change. Over to the layout team to triage.
,
Jan 8
Could someone from layout team look into the issue. Thank You...
,
Jan 8
<style>
.class2 { -webkit-mask-repeat-y: inherit; -webkit-appearance: textarea;</style>
<table>
<colgroup class="class2"7+">ZAr\KavFE+Oq!p<col valign="middle" width="1073741824"</col>
table_layout_algorithm_auto.cc:890:30: runtime error: signed integer overflow: -33553420 * 33554428 cannot be represented in type 'int'
|
||||
►
Sign in to add a comment |
||||
Comment 1 by kkaluri@chromium.org
, Jan 3Labels: M-72 Test-Predator-Wrong
Owner: dtapu...@chromium.org
Status: Assigned (was: Untriaged)