New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 390999 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment

Use-of-uninitialized-value in WebCore::OpaqueRegionSkia::markRectAsNonOpaque

Project Member Reported by ClusterFuzz, Jul 2 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4833045972516864

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  WebCore::OpaqueRegionSkia::markRectAsNonOpaque
  WebCore::OpaqueRegionSkia::applyOpaqueRegionFromLayer
  WebCore::OpaqueRegionSkia::popCanvasLayer
  

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97R0y9GhPD1VfXkAb71-8uUmCfZMJrEHXzt5iQ2q2E8D2_5cO9UezhM3fBbLHV7rwHGQR5tgPte8UbMPQuaJ47bVCPhE1gnPt0WpHIQhoSGW1aNmE1If0mIs4fw08W2me143c7RpVbPJ8MYMY_YD3YgLKbemw
<style>
.CLASS2{transition-delay:-1.0ms;}
.CLASS3{text-decoration:line-through;-webkit-backface-visibility:hidden;}
*:read-only{-webkit-box-reflect:below 6.4% url('?');overflow-y:scroll;</style>
<body class="CLASS12 CLASS3">
B
<div>
>

Filer: inferno@chromium.org
 
Cc: senorblanco@chromium.org reed@chromium.org
Owner: sugoi@chromium.org
Status: Assigned
Sugoi@, we need someone to spearhead these MSAN bugs. Can someone from your team look into these. They should be easy to fix as it just needs intializing the vars.
Project Member

Comment 2 by ClusterFuzz, Jul 2 2014

Labels: Pri-1

Comment 3 by sugoi@chromium.org, Jul 8 2014

Cc: sugoi@chromium.org
Owner: danakj@chromium.org
Assigning to danakj@.
My hunch is that this could be fixed in OpaqueRegionSkia::didDrawUnbounded() simply by adding an if statement this way :

if (getDeviceClipAsRect(context, deviceClipRect)) {
    markRectAsNonOpaque(deviceClipRect);
}

instead of calling markRectAsNonOpaque() unconditionally and by doing a similar fix in applyOpaqueRegionFromLayer() by moving lines 336-337 after line 340.
(I haven't tested any of this though)
Labels: M-37
Bulk edit of uninitialized value bugs without milestones to M-37.

Comment 5 by danakj@chromium.org, Jul 15 2014

Cc: sohanjyo...@gmail.com
Project Member

Comment 6 by ClusterFuzz, Jul 24 2014

Labels: Nag
danakj@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: bsalomon@chromium.org
Project Member

Comment 8 by ClusterFuzz, Jul 28 2014

Labels: -Security_Impact-Beta
Project Member

Comment 9 by ClusterFuzz, Jul 29 2014

Labels: Security_Impact-Beta
Project Member

Comment 10 by ClusterFuzz, Jul 29 2014

Labels: -Security_Impact-Beta
Project Member

Comment 11 by ClusterFuzz, Jul 29 2014

Labels: Security_Impact-Beta
Project Member

Comment 12 by ClusterFuzz, Jul 29 2014

Labels: -Security_Impact-Beta
Project Member

Comment 13 by ClusterFuzz, Jul 30 2014

Labels: -Security_Impact-Stable Security_Impact-Beta
Labels: -Security_Impact-Beta Security_Impact-Stable
Project Member

Comment 15 by ClusterFuzz, Aug 3 2014

danakj@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Status: Started
WIP - https://codereview.chromium.org/417153002/
Cc: danakj@chromium.org
Owner: sohanjyo...@gmail.com
Project Member

Comment 18 by bugdroid1@chromium.org, Aug 7 2014

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=179741

------------------------------------------------------------------
r179741 | sohan.jyoti@samsung.com | 2014-08-07T19:25:16.815170Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/graphics/RegionTracker.cpp?r1=179741&r2=179740&pathrev=179741
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/graphics/GraphicsContextTest.cpp?r1=179741&r2=179740&pathrev=179741

Avoid passing uninitialized value to markRectAsNonOpaque.

While applying opaque region for layer if device clip is not a rect 
we don't alter the opaque rect, and if we have a non-opaque
preserving transfer mode along with it, we mark the opaque rect
as empty.

BUG= 390999 

Review URL: https://codereview.chromium.org/417153002
-----------------------------------------------------------------
Status: Fixed
Project Member

Comment 20 by ClusterFuzz, Aug 9 2014

ClusterFuzz has detected this issue as fixed in range 288030:288271.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4833045972516864

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  WebCore::OpaqueRegionSkia::markRectAsNonOpaque
  WebCore::OpaqueRegionSkia::applyOpaqueRegionFromLayer
  WebCore::OpaqueRegionSkia::popCanvasLayer
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=288030:288271

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97R0y9GhPD1VfXkAb71-8uUmCfZMJrEHXzt5iQ2q2E8D2_5cO9UezhM3fBbLHV7rwHGQR5tgPte8UbMPQuaJ47bVCPhE1gnPt0WpHIQhoSGW1aNmE1If0mIs4fw08W2me143c7RpVbPJ8MYMY_YD3YgLKbemw
<style>
.CLASS2{transition-delay:-1.0ms;}
.CLASS3{text-decoration:line-through;-webkit-backface-visibility:hidden;}
*:read-only{-webkit-box-reflect:below 6.4% url('?');overflow-y:scroll;</style>
<body class="CLASS12 CLASS3">
B
<div>
>

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 21 by ClusterFuzz, Aug 9 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage M-36 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -M-37 -Merge-Triage -M-36 Merge-NA Release-0-M38
Project Member

Comment 23 by ClusterFuzz, Nov 14 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment