Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in SkEvalCubicAt |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5067740183789568 Fuzzer: inferno_canvas_wrecker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkEvalCubicAt SkPath::contains blink::Path::contains Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv941wUTdsnoc-uFX-RfOdXCfdhdVZigQEzWXNOyhIspqqBB5pDYoD___5AVa4GtXST2m1QhPVdRqB0a6XarxNyzbqgbLavqicOl0dIOFZjsLWt1e13a8aKXHxVgihuIliuOxkur4-VoivisOuJBBTtF4-XEmFukj8PJS1ZO71Y5XY3YCdmI Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 24 2016
,
May 25 2016
I think I see what's going on here. I'll take a shot at this one.
,
May 25 2016
,
May 26 2016
,
May 26 2016
,
May 26 2016
,
May 27 2016
,
May 31 2016
The following revision refers to this bug: https://skia.googlesource.com/skia.git/+/276e63361c73fed6c6528b322400ece81fd1d067 commit 276e63361c73fed6c6528b322400ece81fd1d067 Author: mbarbella <mbarbella@chromium.org> Date: Tue May 31 21:44:01 2016 Check results from calls to SkCubicClipper::ChopMonoAtY. BUG= 613918 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2006143009 Review-Url: https://codereview.chromium.org/2006143009 [modify] https://crrev.com/276e63361c73fed6c6528b322400ece81fd1d067/src/core/SkPath.cpp
,
May 31 2016
,
May 31 2016
Since this is an uninitialized read and it's not clear that it could be exploited, let's just let this roll into M-53.
,
Jun 1 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Jun 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/212c48e338298afee9ee2221677cbaefcbe84e92 commit 212c48e338298afee9ee2221677cbaefcbe84e92 Author: skia-deps-roller <skia-deps-roller@chromium.org> Date: Wed Jun 01 00:59:07 2016 Roll src/third_party/skia/ ce8ea4c55..276e63361 (2 commits). https://chromium.googlesource.com/skia.git/+log/ce8ea4c55b6e..276e63361c73 $ git log ce8ea4c55..276e63361 --date=short --no-merges --format='%ad %ae %s' 2016-05-31 mbarbella Check results from calls to SkCubicClipper::ChopMonoAtY. 2016-05-31 scroggo Revert of Make SkPngCodec decode progressively. (patchset #18 id:340001 of https://codereview.chromium.org/1997703003/ ) BUG= 613918 CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel TBR=herb@google.com Review-Url: https://codereview.chromium.org/2026993002 Cr-Commit-Position: refs/heads/master@{#397005} [modify] https://crrev.com/212c48e338298afee9ee2221677cbaefcbe84e92/DEPS
,
Jun 1 2016
,
Jun 1 2016
The following revision refers to this bug: https://skia.googlesource.com/skia.git/+/99600d0a158e3b2f1ff077a6fd102e78ce9db0e4 commit 99600d0a158e3b2f1ff077a6fd102e78ce9db0e4 Author: mbarbella <mbarbella@chromium.org> Date: Wed Jun 01 22:39:47 2016 Add a test to ensure that a case where SkCubicClipper::ChopMonoAtY returns false is handled properly. Also fixes a style issue in the fix for the issue being tested. BUG= chromium:613918 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2021343004 Review-Url: https://codereview.chromium.org/2021343004 [modify] https://crrev.com/99600d0a158e3b2f1ff077a6fd102e78ce9db0e4/src/core/SkPath.cpp [modify] https://crrev.com/99600d0a158e3b2f1ff077a6fd102e78ce9db0e4/tests/PathTest.cpp
,
Jun 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c1652c8a765c2bc3463026f12cfacc46c03ba6db commit c1652c8a765c2bc3463026f12cfacc46c03ba6db Author: skia-deps-roller <skia-deps-roller@chromium.org> Date: Thu Jun 02 06:55:46 2016 Roll src/third_party/skia/ fc2990682..99600d0a1 (5 commits). https://chromium.googlesource.com/skia.git/+log/fc2990682671..99600d0a158e $ git log fc2990682..99600d0a1 --date=short --no-merges --format='%ad %ae %s' 2016-06-01 mbarbella Add a test to ensure that a case where SkCubicClipper::ChopMonoAtY returns false is handled properly. 2016-06-01 msarett Create SkColorSpaceXform to handle color conversions 2016-06-01 msarett Recognize common parametric gamma 2016-06-01 brianosman Release surface between runs to avoid seg fault 2016-06-01 bsalomon Fix uninit warning on valgrind bot in SkPathPriv:IsSimpleClosedRect BUG= 613918 CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel TBR=herb@google.com Review-Url: https://codereview.chromium.org/2029203003 Cr-Commit-Position: refs/heads/master@{#397322} [modify] https://crrev.com/c1652c8a765c2bc3463026f12cfacc46c03ba6db/DEPS
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 396957:397022. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5067740183789568 Fuzzer: inferno_canvas_wrecker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkEvalCubicAt SkPath::contains blink::Path::contains Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=396957:397022 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv941wUTdsnoc-uFX-RfOdXCfdhdVZigQEzWXNOyhIspqqBB5pDYoD___5AVa4GtXST2m1QhPVdRqB0a6XarxNyzbqgbLavqicOl0dIOFZjsLWt1e13a8aKXHxVgihuIliuOxkur4-VoivisOuJBBTtF4-XEmFukj8PJS1ZO71Y5XY3YCdmI See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 15 2016
,
Jun 15 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Jun 16 2016
Approving merge to M52 branch 2743 based on comment #17. Please merge asap. Thank you.
,
Jun 20 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 22 2016
Looks like I missed some label updates in c#11. As mentioned there, no need to merge this one.
,
Sep 7 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 14 2016
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Nov 9 2017
is there any way i could take a look at how this bug causeda denial of service? I'm writing a paper on chrome vulnerabilities as my thesis for uni, it would be of great help
,
Apr 25 2018
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, May 23 2016