Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in walk_convex_edges |
||||||||||||||||||||||
Issue descriptionNoticed that it would be pretty easy to write a fuzzer for skia path stuff, so I did. I'll work out a fix for this issue a bit later, but also need to land the fuzzer so it's possible for people other than me to reproduce this. reed, caryclark: Are either of you up for a few reviews? The fuzzer is fairly straightforward but it would be nice to get input from someone more familiar with skia. INFO: Seed: 818632536 out/libfuzzer/path_fuzzer: Running 1 inputs 1 time(s) each. /usr/local/google/home/mbarbella/Downloads/crash-99d56d2372a0ff40664d9e60f3a84404a815b602 ... ==30552==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0xb8595f in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) ./out/libfuzzer/../../third_party/skia/src/core/SkScan_Path.cpp:267 #1 0xb82cf3 in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) ./out/libfuzzer/../../third_party/skia/src/core/SkScan_Path.cpp:505 (discriminator 1) #2 0xb88a2f in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) ./out/libfuzzer/../../third_party/skia/src/core/SkScan_Path.cpp:670 (discriminator 1) #3 0xb5eb17 in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) ./out/libfuzzer/../../third_party/skia/src/core/SkScan_AntiPath.cpp:741 (discriminator 1) #4 0x69594c in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const ./out/libfuzzer/../../third_party/skia/src/core/SkDraw.cpp:1078 #5 0x696df0 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const ./out/libfuzzer/../../third_party/skia/src/core/SkDraw.cpp:1171 (discriminator 1) #6 0x50564c in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const ./out/libfuzzer/../../third_party/skia/include/core/SkDraw.h:55 #7 0x5054dd in SkBitmapDevice::drawPath(SkDraw const&, SkPath const&, SkPaint const&, SkMatrix const*, bool) ./out/libfuzzer/../../third_party/skia/src/core/SkBitmapDevice.cpp:236 #8 0x6032fc in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) ./out/libfuzzer/../../third_party/skia/src/core/SkCanvas.cpp:2231 (discriminator 1) #9 0x5f894c in SkCanvas::drawPath(SkPath const&, SkPaint const&) ./out/libfuzzer/../../third_party/skia/src/core/SkCanvas.cpp:1922 #10 0x48e04b in LLVMFuzzerTestOneInput ./out/libfuzzer/../../skia/tools/path_fuzzer/path_fuzzer.cc:106 #11 0x150e41a in ExecuteCallback ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:465 (discriminator 1) #12 0x150ddb7 in RunOne ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerLoop.cpp:398 #13 0x14f2f67 in RunOneTest ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:256 (discriminator 2) #14 0x14f557b in FuzzerDriver ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:372 (discriminator 1) #15 0x14f324e in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerDriver.cpp:421 #16 0x15250a8 in main ./out/libfuzzer/../../third_party/libFuzzer/src/FuzzerMain.cpp:25 #17 0x7f191fbdaf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #18 0x424408 in _start ??:? Uninitialized value was created by an allocation of 'tailEdge' in the stack frame of function 'sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&)' #0 0xb821b0 in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) ./out/libfuzzer/../../third_party/skia/src/core/SkScan_Path.cpp:430 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/ssd/mbarbella/chromium/src/out/libfuzzer/path_fuzzer+0xb8595f) Exiting
,
Jun 16 2016
mbarbella: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 20 2016
,
Jun 20 2016
,
Jun 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475218717769728 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::FillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97BVzovGJs1axl5Kq5C-2WveSa3qq--uQD6a76zOzaLUDUS1ifdj8BBdfmmzw7zLPC_BOQcM-UDXioLUJI5rt-uIK3_VJTqdGVpxe5jVlSMudxLJfCbxi5rbNAirsBkfbd2lsAE2oLn7guNV2bU8iOpfmcemQ?testcase_id=6475218717769728 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 20 2016
,
Jun 20 2016
,
Jun 20 2016
Issue 621492 has been merged into this issue.
,
Jun 20 2016
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6048601910542336 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::AntiFillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94r_emDGi852c0RSEZipLc_1cilaeGQQBDc5EwoEIW8Wof-rl61eVeFnM15NNXO3EXXqevtLD5QgHIkf2t0GTt776l95iW5L3nEInMsd0uZ_nAe05zV2yztkH08UKps2d9rit60sh1HQpe8VxEVBmSKbdB9tQ?testcase_id=6048601910542336 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 5 2016
mbarbella: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475218717769728 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::FillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97BVzovGJs1axl5Kq5C-2WveSa3qq--uQD6a76zOzaLUDUS1ifdj8BBdfmmzw7zLPC_BOQcM-UDXioLUJI5rt-uIK3_VJTqdGVpxe5jVlSMudxLJfCbxi5rbNAirsBkfbd2lsAE2oLn7guNV2bU8iOpfmcemQ?testcase_id=6475218717769728 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6048601910542336 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::AntiFillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94r_emDGi852c0RSEZipLc_1cilaeGQQBDc5EwoEIW8Wof-rl61eVeFnM15NNXO3EXXqevtLD5QgHIkf2t0GTt776l95iW5L3nEInMsd0uZ_nAe05zV2yztkH08UKps2d9rit60sh1HQpe8VxEVBmSKbdB9tQ?testcase_id=6048601910542336 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4958136222089216 Fuzzer: afl_skia_path_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x60560000e574 Crash State: SkBlitRow::Color32 walk_convex_edges sk_fill_path Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Minimized Testcase (0.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95fr1XUD_i-seEIWqFxoalmVAF_aDiNg-mm4n74nGmMHViVc0NWd0dzG6LXMVf8wYtyoyMeO56wDeQSpl7ojH5vDXQ2_FgmTG33oKDfmCX7NVmFRJf5RssI3MlfYK0QYeNEgLag5bB2O-sZz8ovlaXvcFjXVQ?testcase_id=4958136222089216 Additional requirements: Requires Gestures Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6167037730881536 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::FillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978yIzLWAHToJzLBGUtS-_-qwwX8NlhXE8hdJhmAgHJOJrd-AeAgyVZtAtQ0X8JPj1WCUKC0UDoIrXb6utGVV9uYKFmTwoZNI53iFEFy8DDAGjFysfXbGVTQ-W7jVtGqT5pmVyzcs0CfNkT_zwH6roMiOhkQA?testcase_id=6167037730881536 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 14 2016
ClusterFuzz has detected this issue as fixed in range 405164:405345. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6167037730881536 Fuzzer: libfuzzer_skia_path_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: walk_convex_edges sk_fill_path SkScan::FillPath Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=400429:400488 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=405164:405345 Minimized Testcase (0.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978yIzLWAHToJzLBGUtS-_-qwwX8NlhXE8hdJhmAgHJOJrd-AeAgyVZtAtQ0X8JPj1WCUKC0UDoIrXb6utGVV9uYKFmTwoZNI53iFEFy8DDAGjFysfXbGVTQ-W7jVtGqT5pmVyzcs0CfNkT_zwH6roMiOhkQA?testcase_id=6167037730881536 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 15 2016
,
Jul 15 2016
,
Jul 19 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 19 2016
,
Oct 25 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Jun 1 2016