New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621492 link

Starred by 1 user
Status: Duplicate
Merged: issue 616623
Owner:
reed@google.com
Closed: Jun 2016
Cc:
kcc@chromium.org
mmoroz@chromium.org
hcm@chromium.org
mbarbe...@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in walk_convex_edges

Project Member Reported by ClusterFuzz, Jun 20 2016

Comment 1 by mmoroz@chromium.org, Jun 20 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Internals>Skia
Owner: mbarbe...@chromium.org
mbarbella@, could you please advise who is the best owner for skia bugs?

Comment 2 by mmoroz@chromium.org, Jun 20 2016

Blockedon: 616623
Labels: -Type-Bug Security_Severity-High Type-Bug-Security
Since it looks very similar to  bug 616623  (except of the top stack-frame), I'm blocking this on and setting High severity.

Comment 3 by hcm@chromium.org, Jun 20 2016 

Can someone please add me to 616623? Trying to triage this for Skia

Comment 4 by mmoroz@chromium.org, Jun 20 2016

Cc: hcm@chromium.org
Labels: -Restrict-View-EditIssue Restrict-View-SecurityTeam

Comment 5 by mmoroz@chromium.org, Jun 20 2016 

hcm@, I CC'ed you on 616623.

Comment 6 by hcm@chromium.org, Jun 20 2016

Cc: mbarbe...@chromium.org
Owner: reed@google.com
This one probably needs to go to Mike for a look at the drawPath code.  There was recent refactoring there, but note this is a new fuzzer, so not necessarily related to recent changes.

Latest stack (Jun 17):
==27485==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000078039c bp 0x7ffdcfdce1f0 sp 0x7ffdcfdce130 T0)
==27485==The signal is caused by a READ memory access.
==27485==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x78039b in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) third_party/skia/src/core/SkScan_Path.cpp:314:32
    #1 0x77df9a in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) third_party/skia/src/core/SkScan_Path.cpp:505:9
    #2 0x78230e in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) third_party/skia/src/core/SkScan_Path.cpp:670:9
    #3 0x764f8c in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) third_party/skia/src/core/SkScan_AntiPath.cpp:741:9
    #4 0x5fdf39 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:1074:5
    #5 0x5fec47 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1167:11
    #6 0xb23fdc in drawPath third_party/skia/include/core/SkDraw.h:54:15
    #7 0xb23fdc in SkBitmapDevice::drawPath(SkDraw const&, SkPath const&, SkPaint const&, SkMatrix const*, bool) third_party/skia/src/core/SkBitmapDevice.cpp:236
    #8 0x5c6fa8 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2231:23
    #9 0x4e3848 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/skia_path_fuzzer.cc:130:25
    #10 0x4f6bb9 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:514:13
    #11 0x4f551d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:440:3
    #12 0x4e4596 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:257:6
    #13 0x4e7a68 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:379:9
    #14 0x505786 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #15 0x7f1764d30f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

Comment 7 by est...@chromium.org, Jun 20 2016

Labels: Security_Impact-Head

Comment 8 by mbarbe...@chromium.org, Jun 20 2016

Labels: -Security_Impact-Head Security_Impact-Stable
Mergedinto: 616623
Status: Duplicate (was: Available)
Pretty sure this is a dupe. Should be the same issue as before.

One note about impact, it's actually an old bug but I'm guessing the regression range points to the CL where the fuzzer was landed.

Comment 9 by mbarbe...@chromium.org, Jun 20 2016

Blockedon: -616623
Project Member

Comment 10 by ClusterFuzz, Jul 15 2016 

ClusterFuzz has detected this issue as fixed in range 405299:405445.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4751559422640128

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  walk_convex_edges
  sk_fill_path
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400422:400471
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=405299:405445

Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv948uAOSA-Crhgmek_R__od8djSxvFadNmrUkVpKTmGtWHhFOpwxRIvJvNp-3aY7znppLHY2kQGmhgYq8x37KtwumFcuSD3tNGc2bCcM8P9aBM8HZNG7p0s8UX9Mo2GC8lp4gf9trNDTA3sg__4GM2XytSsthw?testcase_id=4751559422640128

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 26 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment