reed@, do you think you could please help find a good owner for this security bug? Thanks!

The relevant flow in skia_utils_mac.mm is:

In SkiaBitLocker::cgContext()

We query the clip, which is empty, so we set clip_bounds to 0,0,1,1 (since CGBitmapContextCreate will fail for an empty width or height) and set bitmapIsDummy_ to true.

Then we call releaseIfNeeded(), which can change bitmapIsDummy_. In that case, back in cgContext() we are confused, and then call canvas_->temporary_internal_describeTopLayer() which can reset clip_bounds to empty... and thus CGBitmapContextCreate fails (unexpectedly).

The fix is to make the call to releaseIfNeeded() at the start of the function so any (hidden) mutations of fields is done before we start to set-and-use them.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6acf5977b62cb3d5986e0be8c68994287be7569d

commit 6acf5977b62cb3d5986e0be8c68994287be7569d
Author: reed <reed@google.com>
Date: Mon Jun 20 17:00:46 2016

Move releaseIfNeeded to start, since it can change bitmapIsDummy_

In SkiaBitLocker::cgContext()

We query the clip, which is empty, so we set clip_bounds to 0,0,1,1 (since CGBitmapContextCreate will fail for an empty width or height) and set bitmapIsDummy_ to true.

Then we call releaseIfNeeded(), which can change bitmapIsDummy_. In that case, back in cgContext() we are confused, and then call canvas_->temporary_internal_describeTopLayer() which can reset clip_bounds to empty... and thus CGBitmapContextCreate fails (unexpectedly).

The fix is to make the call to releaseIfNeeded() at the start of the function so any (hidden) mutations of fields is done before we start to set-and-use them.

BUG= 620981 

Review-Url: https://codereview.chromium.org/2086543002
Cr-Commit-Position: refs/heads/master@{#400700}

[modify] https://crrev.com/6acf5977b62cb3d5986e0be8c68994287be7569d/skia/ext/skia_utils_mac.mm

ClusterFuzz has detected this issue as fixed in range 410916:411073.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6199804325789696

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x6020000a4450
Crash State:
  _platform_bzero$VARIANT$Merom
  SkA8_Blitter::blitH
  walk_convex_edges
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=391652:391708
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=410916:411073

Minimized Testcase (0.52 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JEjuKj3QbZMLpYArGRU8pIY68FCbkgsxclOQ_3r9ZE1dGOXR2UUrGLseuS_VS4fD4OG5YPZFFlIJWTXw3jLofEgA10fm-cOCuRpMY27aHUOkF1rfdxMDxyDW8caqJWUwZXTjosaZ0O0sRgFs0e-RiIuUFag?testcase_id=6199804325789696

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot