New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617735 link

Starred by 0 users
Status: WontFix
Owner:
kbr@chromium.org
OOO until 2019-01-24
Closed: Jun 2016
Cc:
sugoi@chromium.org
capn@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: ----
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in elt

Project Member Reported by ClusterFuzz, Jun 6 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5712019085066240

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x604000067b50
Crash State:
  elt
  vbo_split_copy
  vbo_split_prims
  
Recommended Security Severity: High


Minimized Testcase (19.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Jll-NMmk_KDtvS1p7Y6kicUGdmbUWVHp2lceacYHhmo4YiFuoqdlfJ0IQrpjZ8ns787wRBfDIvTwuSyqflrQT8w2HxNGVz_zorKvo9NdDB8VY8JCet275Q7RyfhPUSE8d0PsfStOxP1e6xGKiCgV4Mis58qyBlIoI5jZ0XelQGhLNeao

Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by f...@chromium.org, Jun 6 2016

Labels: M-51

Comment 2 by f...@chromium.org, Jun 6 2016

Owner: kbr@chromium.org
Status: Assigned (was: Available)
kbr, might you be a good person to take a look at this one, which appears to be mesa-related?

Comment 3 by f...@chromium.org, Jun 6 2016 

kbr, btw I am not entirely sure if this is a real vulnerability or not. your thoughts on that would be appreciated

Comment 4 by kbr@chromium.org, Jun 6 2016

Cc: capn@chromium.org sugoi@chromium.org
Components: Blink>WebGL Internals>GPU
Status: WontFix (was: Assigned)
This is a bug in the version of Mesa that Chromium uses only for testing purposes. The shader being fed in has a syntax error. Several similar bugs have been found in the past but we don't think that they represent actual bugs that end users will see. We are in the process of removing Mesa from Chrome's testing and replacing it with SwiftShader, which should categorically solve these sorts of bugs. Closing this as WontFix as we won't be able to fix these bugs in Mesa and have a plan for solving them more generally.
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 13 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment