New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Jul 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Use-of-uninitialized-value in cc::SolidColorDrawQuad::SetNew
Project Member Reported by ClusterFuzz, Jul 3 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4964342854320128

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  cc::SolidColorDrawQuad::SetNew
  cc::PictureLayerImpl::AppendQuads
  cc::LayerTreeHostImpl::CalculateRenderPasses
  

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97o45Ergo8ZEraHfykgmfsUEgCkOQAHslZM-RREfjucoQPuKL6JfKFQ13R9oAHXz3wqk-nN8XVEk808p09RnJFafBCyOn5nR6qzKf_sGpcjIPg0jyMgFL90yP7NclAtF3musO_mu0Zglr0leacLHZxRXkGW6A
  setTimeout(cleanup,100);
<style>
*{visibility:show;-webkit-appearance:searchfield-cancel-button;-webkit-mask-image:url(?);>

Filer: earthdok@chromium.org
 
Owner: danakj@chromium.org
Status: Assigned
Dana, could you please look into this or help find an owner?


Project Member Comment 2 by ClusterFuzz, Jul 3 2014
Labels: Pri-1
Cc: boliu@chromium.org enne@chromium.org danakj@chromium.org vmp...@chromium.org reve...@chromium.org
It looks to me that tile_version.get_solid_color() may not be initialized to anything.

I see that it is not initialized in the constructor of ManagedTileState::TileVersion::TileVersion, but it should be set when the mode_ is changed to solid color.
Labels: M-37
Bulk edit of uninitialized value bugs without milestones to M-37.
Comment 5 by danakj@chromium.org, Jul 15 2014
Cc: sohanjyo...@gmail.com
Project Member Comment 6 by ClusterFuzz, Jul 24 2014
Labels: Nag
danakj@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 7 by bugdroid1@chromium.org, Jul 24 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9bc7dad0e1ceff7d248366c9f47431e7c96d7eee

commit 9bc7dad0e1ceff7d248366c9f47431e7c96d7eee
Author: vmpstr@chromium.org <vmpstr@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu Jul 24 23:41:12 2014

cc: Default initialize solid color in tile version constructor.

This patch ensures that all variables of tile version are initialized
to something.

BUG= 391301 
R=danakj, enne

Review URL: https://codereview.chromium.org/412143003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@285409 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 8 by bugdroid1@chromium.org, Jul 24 2014
------------------------------------------------------------------
r285409 | vmpstr@chromium.org | 2014-07-24T23:41:12.885258Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/cc/resources/managed_tile_state.cc?r1=285409&r2=285408&pathrev=285409

cc: Default initialize solid color in tile version constructor.

This patch ensures that all variables of tile version are initialized
to something.

BUG= 391301 
R=danakj, enne

Review URL: https://codereview.chromium.org/412143003
-----------------------------------------------------------------
Status: Fixed
Project Member Comment 10 by ClusterFuzz, Jul 25 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-36 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Release-0-M38 Merge-NA
Will let MSAN bugs roll onto trunk.
Project Member Comment 12 by ClusterFuzz, Sep 11 2014
ClusterFuzz has detected this issue as fixed in range 294200:294222.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4964342854320128

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  cc::SolidColorDrawQuad::SetNew
  cc::PictureLayerImpl::AppendQuads
  cc::LayerTreeHostImpl::CalculateRenderPasses
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=294200:294222

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97o45Ergo8ZEraHfykgmfsUEgCkOQAHslZM-RREfjucoQPuKL6JfKFQ13R9oAHXz3wqk-nN8XVEk808p09RnJFafBCyOn5nR6qzKf_sGpcjIPg0jyMgFL90yP7NclAtF3musO_mu0Zglr0leacLHZxRXkGW6A
  setTimeout(cleanup,100);
<style>
*{visibility:show;-webkit-appearance:searchfield-cancel-button;-webkit-mask-image:url(?);>

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 13 by ClusterFuzz, Oct 31 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 14 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 15 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment