New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617635 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in FixWinding

Project Member Reported by ClusterFuzz, Jun 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4656132446748672

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0001078d
Crash State:
  FixWinding
  SkOpBuilder::resolve
  blink::LayoutSVGResourceClipper::calculateClipContentPathIfNeeded
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96c51hKmtMH0ZxOGbxf6AUb2v7SgB5w9sFUOOABZPEnLGdElyG1hcPvCMVyGhdaeeYn_Tw0QGNYOz1TR-clTnv2WxP8gtvY51XgxyRNxynETURhwLIGH2IRxuz2zvU-oq5Y7uJIc4jlMyipRVHCHZNi14D7lw


Filer: aarya

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: -Security_Severity-Medium Security_Severity-High Pri-1
Cc: mbarbe...@chromium.org

Comment 3 by f...@chromium.org, Jun 6 2016

Components: Internals>Skia
Owner: caryclark@chromium.org
Status: Assigned (was: Available)
caryclark, would you be a good owner for this bug?

Comment 4 by f...@chromium.org, Jun 6 2016

Labels: Security_Impact-Head
Investigating
Status: Started (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Jun 7 2016

Labels: M-53
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 7 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 8 2016

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/dae6b97705fde08958b1a36fa6ce685d28fc692c

commit dae6b97705fde08958b1a36fa6ce685d28fc692c
Author: caryclark <caryclark@google.com>
Date: Wed Jun 08 11:28:19 2016

fix pathops fuzz bugs

Fail out in a couple of new places when the input data is very
large and exceeds the limits of the pathops machinery.

Most of the change here plumbs in a way to exclude an assert in
one of these exceptional cases. The current SkAddIntersection
implementation and the inner functions it calls has no way to
report an error to the root caller for an early exit, so rather
than add that in, exclude the assert when the test that would
trigger it runs (allowing the test to otherwise ensure that it
properly fails).

TBR=reed@google.com
BUG= 617586 , 617635 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2046713003

Review-Url: https://codereview.chromium.org/2046713003

[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkAddIntersections.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkDConicLineIntersection.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkIntersections.h
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkOpBuilder.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkOpCoincidence.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsCommon.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsCommon.h
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsOp.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsSimplify.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsTightBounds.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsTypes.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/src/pathops/SkPathOpsTypes.h
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsAngleIdeas.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsAngleTest.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsBuilderTest.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsExtendedTest.cpp
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsExtendedTest.h
[modify] https://crrev.com/dae6b97705fde08958b1a36fa6ce685d28fc692c/tests/PathOpsOpTest.cpp

Project Member

Comment 10 by bugdroid1@chromium.org, Jun 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27c0233b9d759b06b3e4e551a892e9613032198e

commit 27c0233b9d759b06b3e4e551a892e9613032198e
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Wed Jun 08 12:54:04 2016

Roll src/third_party/skia/ 2af4599b5..dae6b9770 (1 commit).

https://chromium.googlesource.com/skia.git/+log/2af4599b5c51..dae6b97705fd

$ git log 2af4599b5..dae6b9770 --date=short --no-merges --format='%ad %ae %s'
2016-06-08 caryclark fix pathops fuzz bugs

BUG= 617586 , 617635 

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=mtklein@google.com

Review-Url: https://codereview.chromium.org/2048983003
Cr-Commit-Position: refs/heads/master@{#398532}

[modify] https://crrev.com/27c0233b9d759b06b3e4e551a892e9613032198e/DEPS

Project Member

Comment 11 by ClusterFuzz, Jun 9 2016

ClusterFuzz has detected this issue as fixed in range 397961:397971.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4656132446748672

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0001078d
Crash State:
  FixWinding
  SkOpBuilder::resolve
  blink::LayoutSVGResourceClipper::calculateClipContentPathIfNeeded
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=377544:377564
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397961:397971

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96c51hKmtMH0ZxOGbxf6AUb2v7SgB5w9sFUOOABZPEnLGdElyG1hcPvCMVyGhdaeeYn_Tw0QGNYOz1TR-clTnv2WxP8gtvY51XgxyRNxynETURhwLIGH2IRxuz2zvU-oq5Y7uJIc4jlMyipRVHCHZNi14D7lw


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Started)
Project Member

Comment 13 by ClusterFuzz, Jun 10 2016

Labels: Merge-NA
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 10 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -reward-topanel reward-unpaid reward-3500
Congratulations, $3,500 for this.  The panel noted they wouldn't be surprised if this lead to memory corruption.
Labels: -reward-unpaid reward-inprocess
Labels: -ReleaseBlock-Beta -ClusterFuzz -merge-na Clusterfuzz Merge-na
Fix already in M53, removing ReleaseBlock-Beta.
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 16 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment