Corrupt-block in sk_free_releaseproc |
||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4698549258551296 Fuzzer: inferno_canvas_wrecker Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fff7030 Crash State: sk_free_releaseproc v8::String::ExternalStringResourceBase::Dispose SkBitmap::~SkBitmap Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=402058:402059 Minimized Testcase (12.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95A8LqoApRWsKZx-ScGladStccW0D-GmXaqnseu2Mq2-LCWDusOt711eCi8R2T5Z8D2TjB1PAPxHiY2oPJ5oumPlJlmiD_S0iHsW_6GD1rNQ4giZjA7o1Y1rZdzLH2iQ04rmHxBM5s5zfgkMCLomhhi5ZMzsA?testcase_id=4698549258551296 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 29 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 29 2016
,
Jun 29 2016
,
Jun 29 2016
,
Jun 30 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 30 2016
Looks like the problem is related to a bitmap we allocate to back a saveLayer(). Looking at the calls to saveLayer() in the minimized repro case, I see them calling sk_calloc() a couple times: 144800 bytes, 141600 bytes, then 1798655148 bytes. That last one is unusually large (1.8G), especially on a 32-bit build like this. FWIW, content_shell is not crashing on a Linux desktop with infinite RAM.
,
Jul 1 2016
M53 is branched today (2785) and will be promoted to Beta this month.Your bug is labelled as Beta ReleaseBlock, pls make sure to land and merge the fix to M53 branch 2785 by 5:00 PM PST on Friday 07/22 (sooner the better so it gets chance to bake in M53 dev releases it self). Thank you.
,
Jul 14 2016
reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 14 2016
M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.
,
Jul 19 2016
M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
I'm afraid sheriffbot's label changes were a hiccup - this is still a blocker for Friday's M53.
,
Jul 21 2016
,
Jul 22 2016
,
Dec 6 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by palmer@chromium.org
, Jun 28 2016Components: Internals>Skia
Labels: M-53 OS-Android OS-Chrome OS-Linux OS-Mac
Owner: reed@chromium.org
Status: Assigned (was: Available)