New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 620981 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in _platform_bzero$VARIANT$Merom

Project Member Reported by ClusterFuzz, Jun 17 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6199804325789696

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x6020000a4450
Crash State:
  _platform_bzero$VARIANT$Merom
  SkA8_Blitter::blitH
  walk_convex_edges
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=391652:391708

Minimized Testcase (0.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JEjuKj3QbZMLpYArGRU8pIY68FCbkgsxclOQ_3r9ZE1dGOXR2UUrGLseuS_VS4fD4OG5YPZFFlIJWTXw3jLofEgA10fm-cOCuRpMY27aHUOkF1rfdxMDxyDW8caqJWUwZXTjosaZ0O0sRgFs0e-RiIuUFag

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jun 17 2016

Labels: Pri-1

Comment 2 by est...@chromium.org, Jun 19 2016

Components: Internals>Skia
Labels: M-53
Owner: reed@chromium.org
Status: Assigned (was: Available)
reed@, do you think you could please help find a good owner for this security bug? Thanks!

Comment 3 by reed@chromium.org, Jun 19 2016

Owner: reed@google.com

Comment 4 by reed@google.com, Jun 20 2016

The relevant flow in skia_utils_mac.mm is:

In SkiaBitLocker::cgContext()

We query the clip, which is empty, so we set clip_bounds to 0,0,1,1 (since CGBitmapContextCreate will fail for an empty width or height) and set bitmapIsDummy_ to true.

Then we call releaseIfNeeded(), which can change bitmapIsDummy_. In that case, back in cgContext() we are confused, and then call canvas_->temporary_internal_describeTopLayer() which can reset clip_bounds to empty... and thus CGBitmapContextCreate fails (unexpectedly).

The fix is to make the call to releaseIfNeeded() at the start of the function so any (hidden) mutations of fields is done before we start to set-and-use them.

Comment 5 by reed@google.com, Jun 20 2016

Cc: tomhud...@chromium.org
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6acf5977b62cb3d5986e0be8c68994287be7569d

commit 6acf5977b62cb3d5986e0be8c68994287be7569d
Author: reed <reed@google.com>
Date: Mon Jun 20 17:00:46 2016

Move releaseIfNeeded to start, since it can change bitmapIsDummy_

In SkiaBitLocker::cgContext()

We query the clip, which is empty, so we set clip_bounds to 0,0,1,1 (since CGBitmapContextCreate will fail for an empty width or height) and set bitmapIsDummy_ to true.

Then we call releaseIfNeeded(), which can change bitmapIsDummy_. In that case, back in cgContext() we are confused, and then call canvas_->temporary_internal_describeTopLayer() which can reset clip_bounds to empty... and thus CGBitmapContextCreate fails (unexpectedly).

The fix is to make the call to releaseIfNeeded() at the start of the function so any (hidden) mutations of fields is done before we start to set-and-use them.

BUG= 620981 

Review-Url: https://codereview.chromium.org/2086543002
Cr-Commit-Position: refs/heads/master@{#400700}

[modify] https://crrev.com/6acf5977b62cb3d5986e0be8c68994287be7569d/skia/ext/skia_utils_mac.mm

Status: Fixed (was: Assigned)
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 29 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by ClusterFuzz, Aug 11 2016

ClusterFuzz has detected this issue as fixed in range 410916:411073.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6199804325789696

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x6020000a4450
Crash State:
  _platform_bzero$VARIANT$Merom
  SkA8_Blitter::blitH
  walk_convex_edges
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=391652:391708
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=410916:411073

Minimized Testcase (0.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JEjuKj3QbZMLpYArGRU8pIY68FCbkgsxclOQ_3r9ZE1dGOXR2UUrGLseuS_VS4fD4OG5YPZFFlIJWTXw3jLofEgA10fm-cOCuRpMY27aHUOkF1rfdxMDxyDW8caqJWUwZXTjosaZ0O0sRgFs0e-RiIuUFag?testcase_id=6199804325789696

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment