Author: benjaminwagner
Component: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/4534562f7600e036fd7561df1fe04dc5e58a58fc
Time: Fri Feb 19 23:30:20 2016
Lines 901 of file SkFontHost_FreeType.cpp which potentially caused crash are changed in this cl (frame #0, "SkScalerContext_FreeType::SkScalerContext_FreeType").
Minimum distance from crash line to modified line: 0. (file: SkFontHost_FreeType.cpp, crashed on: 901, modified: 901).

Suspected Component: chromium-skia
Suspected Cr- Label: Cr-Internals-Skia

Thanks for taking this!

I've taken a look at this and don't immediately see how this is possible from the code. The most recent change to the file doesn't appear to have any bearing. I've also downloaded and run the clusterfuzz testcase with the clusterfuzz build, but it doesn't appear to reproduce locally. This is quite unfortunate, as it would be great to have a few more stack frames from asan on the 'freed' stack.

This looks similar to  bug 589848 . Duping into that

Unfortunately, I cannot see 589848. If there is anything I should be aware of or if there is no point on continuing to track down this particular report, please let me know.

ClusterFuzz has detected this issue as fixed in range 378207:378422.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5813996948553728

Fuzzer: inferno_canvas_wrecker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61a000018c90
Crash State:
  SkScalerContext_FreeType::SkScalerContext_FreeType
  SkTypeface_FreeType::onCreateScalerContext
  SkTypeface::createScalerContext
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=376399:376718
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=378207:378422

Minimized Testcase (0.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96e4jcvaUO2_Q8jc2VgjtHpo6NuS3vpMv2hhNFNw4RyYLnNF0A2FvlPpSaDVoGM8U6NcFTG7b2eAKUoPMxSNpWN8Xy-8ARr232ihNQlGsi7wUeEVvJUZYtMUQ4GZGeQ34o2LisyIymew4_P2R-S20Qklgj4VQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot