Issue metadata
Sign in to add a comment
|
Security: UNKNOWN in SkResizeFilter::computeFilters
Reported by
chromium...@gmail.com,
May 6 2016
|
||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 50.0.2661.94 m Operating System: Windows 7 REPRODUCTION CASE 1. Visit https://worldwide.espacenet.com/ 2. Try to zome the page 3. Crash! eax=fffffffd ebx=00000000 ecx=00004000 edx=44c6d5e8 esi=04c6d5cc edi=04c6d5b0 eip=532ce73a esp=04c6d570 ebp=04c6d780 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!SkResizeFilter::computeFilters+0x328: 532ce73a 66010c42 add word ptr [edx+eax*2],cx ds:0023:44c6d5e2=???? 0:006> k *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr 04c6d780 532ce406 chrome_child!SkResizeFilter::computeFilters+0x328 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapscaler.cpp @ 195] 04c6d7ac 532ce89e chrome_child!SkResizeFilter::SkResizeFilter+0x180 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapscaler.cpp @ 101] 04c6d844 532ce9d0 chrome_child!SkBitmapScaler::Resize+0xcd [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapscaler.cpp @ 239] 04c6d8c8 52e6c170 chrome_child!SkBitmapScaler::Resize+0xe7 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapscaler.cpp @ 254] 04c6d9a4 52e6be1c chrome_child!SkDefaultBitmapControllerState::processHQRequest+0x2db [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapcontroller.cpp @ 126] 04c6d9c0 52e6bd60 chrome_child!SkDefaultBitmapControllerState::SkDefaultBitmapControllerState+0xb8 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapcontroller.cpp @ 207] 04c6d9d4 52e6b8fd chrome_child!SkDefaultBitmapController::onRequestBitmap+0x3a [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapcontroller.cpp @ 227] 04c6da40 52e6b57b chrome_child!SkBitmapProcState::chooseProcs+0x108 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapprocstate.cpp @ 145] 04c6da98 531f235d chrome_child!SkBitmapProcShader::MakeContext+0x62 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapprocshader.cpp @ 89] 04c6daf0 52e56d68 chrome_child!SkImageShader::onCreateContext+0x5e [c:\b\build\slave\win\build\src\third_party\skia\src\image\skimageshader.cpp @ 51] 04c6db9c 52e5f370 chrome_child!SkBlitter::Choose+0x3d8 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skblitter.cpp @ 894] 04c6e354 52e62979 chrome_child!SkDraw::drawRect+0x43a [c:\b\build\slave\win\build\src\third_party\skia\src\core\skdraw.cpp @ 866] 04c6e36c 52e6277d chrome_child!SkBitmapDevice::drawRect+0x1c [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbitmapdevice.cpp @ 214] 04c6e514 52e6250e chrome_child!SkCanvas::onDrawRect+0x266 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skcanvas.cpp @ 2072] 04c6e530 52e4328b chrome_child!SkNWayCanvas::onDrawRect+0x2d [c:\b\build\slave\win\build\src\third_party\skia\src\utils\sknwaycanvas.cpp @ 155] 04c6e544 52e42da9 chrome_child!SkRecord::Record::visit<void,SkRecords::Draw>+0x263 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skrecord.h @ 178] 04c6e5c4 52e42b60 chrome_child!SkRecordDraw+0xf6 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skrecorddraw.cpp @ 36] 04c6e620 52e4376c chrome_child!SkBigPicture::playback+0xc7 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skbigpicture.cpp @ 44] 04c6e65c 52e43621 chrome_child!SkCanvas::onDrawPicture+0xfa [c:\b\build\slave\win\build\src\third_party\skia\src\core\skcanvas.cpp @ 2905] 04c6e6c4 52e429c9 chrome_child!SkCanvas::drawPicture+0x132 [c:\b\build\slave\win\build\src\third_party\skia\src\core\skcanvas.cpp @ 2877]
,
May 10 2016
,
May 10 2016
Re #1: I couldn't providing a PoC to repro this crash, all what you need is: 1. Lunch https://worldwide.espacenet.com >> zome the page to almost 150% >> crash!
,
May 11 2016
Thank you for providing more feedback. Adding requester "mmoroz@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 11 2016
Assigning to current security sheriff.
,
May 11 2016
Hi, this looks like a dup of crbug.com/595856 , since the crash suggests a negative index into an array of shorts, which matches the fix for that bug.
,
Aug 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 10 2016