Hello Cary (and CC'd),

I've left this as a separate ticket for now (clusterfuzz has added differing labels, as an external fuzzer was used), but it's very similar to: https://bugs.chromium.org/p/chromium/issues/detail?id=587002


If one of you could please take over this security ticket, or help find an appropriate owner?  Thank you very much.

+inferno, in case there's something special we should do for external fuzzer contributions (or if it should be duplicated into the above ticket and re-opened)?

M50 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-8 to make into the desktop Stable final build cut. Thanks!

I have no idea what to do about this bug.

The bug says linux_asan_chrome_v8_arm
What does that mean? An arm desktop? An Android device? Which one?

The bug details' stack trace point to the ASAN read error in the middle of a comment block:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/skia/src/core/SkBitmapScaler.cpp&sq=package:chromium&type=cs&l=194
Does this mean that the bug is reproducing on a Chrome branch which is newer or older than ToT?

I made a fix in this code area a couple of weeks ago:
https://codereview.chromium.org/1810333002
Is it possible that this machine doesn't have this fix?

Cary's fix landed 3/21, and looking at the CF details I see a timestamp of 3/19.  I'm not very good at parsing CF metadata, but the last entry I see is for 3/20.

So there's a good chance CF hasn't picked up the fix.  Can a CF expert verify and kick-off another test run?

After additional consulting with fmalita, it looks like that the bot is indeed out of date and https://codereview.chromium.org/1810333002 fixes the bug.

ClusterFuzz has detected this issue as fixed in range 382185:382786.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5774512917839872

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x09194182
Crash State:
  SkResizeFilter::computeFilters
  SkResizeFilter::SkResizeFilter
  SkBitmapScaler::Resize
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=382185:382786

Minimized Testcase (0.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oz4AQ9CJjTnHFasV3TzJqVWNBdIlINo4c3u7nU6wmfoGSzQIn4WejLJpP5dVwDxq6RH0-eArK2auNWA7Aut6gYop-bNPcd8oWPEaMH2G74Ka96tMc-97yjjolruoWVO2wF1VUpEZisqgxcbADQ0EtFiu4Rw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 382185:382786.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5774512917839872

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x09194182
Crash State:
  SkResizeFilter::computeFilters
  SkResizeFilter::SkResizeFilter
  SkBitmapScaler::Resize
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=382185:382786

Minimized Testcase (0.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oz4AQ9CJjTnHFasV3TzJqVWNBdIlINo4c3u7nU6wmfoGSzQIn4WejLJpP5dVwDxq6RH0-eArK2auNWA7Aut6gYop-bNPcd8oWPEaMH2G74Ka96tMc-97yjjolruoWVO2wF1VUpEZisqgxcbADQ0EtFiu4Rw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Thanks for checking this out. Forcing a re-run on the CF report did indeed show that it was resolved. I don't know why it didn't figure it out itself, I thought it periodically retried automatically.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

Fix is in M51 already based on CL range of fix. Updating labels.

The panel didn't award anything for this bug since it was previously found and fixed.  Thanks again for the fuzzer, though!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot