New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626186 link

Starred by 1 user
Status: Fixed
Owner:
caryclark@google.com
Last visit > 30 days ago
Closed: Jul 2016
Cc:
caryclark@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in SkOpAngle::setSpans

Project Member Reported by ClusterFuzz, Jul 7 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6374307836198912

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x610100007db0
Crash State:
  SkOpAngle::setSpans
  SkOpAngle::set
  SkOpSegment::calcAngles
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404

Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dME2EMQRz-sq50bmtH6o8Gv5xP1i89P-PAvCmflR7foY4VxtztlkERMogkEeHyVHhUwsn-4nbF2VLaVBWAhq2hTCedwjjnk6j0Tm6M19wt2juoaM2kL0Zc0gWBCt5Cd48rQKKHtRkdMnpqkj-gfdrBcC_yA?testcase_id=6374307836198912

Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by calamity@chromium.org, Jul 7 2016

Cc: caryclark@chromium.org
Components: Internals>Skia
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 7 2016

Labels: Pri-1

Comment 3 by mmoroz@chromium.org, Jul 8 2016

Labels: Stability-AFL

Comment 4 by caryclark@chromium.org, Jul 8 2016

Owner: caryclark@google.com

Comment 5 by caryclark@chromium.org, Jul 8 2016

Status: Started (was: Available)
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 13 2016

Labels: M-53
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 13 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by caryclark@google.com, Jul 13 2016 

Isolated Skia repro:

static void fuzz763_1(skiatest::Reporter* reporter, const char* filename) {
    SkPath path;
    path.setFillType((SkPath::FillType) 0);
path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.cubicTo(SkBits2Float(0x0000ff07), SkBits2Float(0xf9f9ff00), SkBits2Float(0xfe0ef9f4), SkBits2Float(0xd9b105fb), SkBits2Float(0x000000f9), SkBits2Float(0xfe11f901));  // 9.14866e-41f, -1.62257e+35f, -4.75121e+37f, -6.22846e+15f, 3.48923e-43f, -4.85077e+37f
path.lineTo(SkBits2Float(0xda1905ed), SkBits2Float(0x3c05fbfb));  // -1.0768e+16f, 0.00817775f
path.cubicTo(SkBits2Float(0x3c3c3c3c), SkBits2Float(0x3c3c3c3c), SkBits2Float(0x253c7f00), SkBits2Float(0xfa00d3fa), SkBits2Float(0x250025fe), SkBits2Float(0x00000006));  // 0.011489f, 0.011489f, 1.63494e-16f, -1.67228e+35f, 1.11151e-16f, 8.40779e-45f

    SkPath path1(path);
    path.reset();
    path.setFillType((SkPath::FillType) 0);
path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.quadTo(SkBits2Float(0x3c3c3c3c), SkBits2Float(0xfa253c3c), SkBits2Float(0xfefa00d3), SkBits2Float(0x25fad9df));  // 0.011489f, -2.14488e+35f, -1.66156e+38f, 4.35157e-16f
path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.close();
path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.lineTo(SkBits2Float(0x8dfefa00), SkBits2Float(0xf0f9fad9));  // -1.57141e-30f, -6.1892e+29f
path.cubicTo(SkBits2Float(0x20fe58f9), SkBits2Float(0x0525fbed), SkBits2Float(0x1905ffff), SkBits2Float(0x01f9f9f9), SkBits2Float(0xfbfe0ef9), SkBits2Float(0xfb212fff));  // 4.30882e-19f, 7.80453e-36f, 6.92764e-24f, 9.18268e-38f, -2.63829e+36f, -8.36933e+35f

    SkPath path2(path);
    testPathOp(reporter, path1, path2, (SkPathOp) 2, filename);
}
Project Member

Comment 9 by ClusterFuzz, Jul 14 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5848078057996288

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x610100010ee8
Crash State:
  SkOpAngle::setSpans
  SkOpAngle::set
  SkOpSegment::calcAngles
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Z3wldAcnV3QkPpq36Uk5-i6erp7jBCRcqGyPCqXhpILGXAefRq1h1q5A4nxJ7E5qheHxrRXizxxeQVNbNFKjyNWiQSbmdH6-SSOV5Fyhyx0JYMhcGXHQuJco7SJ_0dszYlMtpgyj5t27GhrA6Byy7kfxzOw?testcase_id=5848078057996288


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 10 by gov...@chromium.org, Jul 14 2016 

M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.
Project Member

Comment 11 by ClusterFuzz, Jul 18 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6450211937583104

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x6101000059b0
Crash State:
  SkOpAngle::setSpans
  SkOpAngle::set
  SkOpSegment::calcAngles
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97WvZArxq_cdMoFj9gu_-yvxS6kovDfudHjH2ZU3GGbnwyC5S3PDKCW47Z_e2jAOzzEsEKPdWT0SmdxQ3k_OEEJEpKvQvcUsmjmPbjQtZLKmCIWUVGq80WJVa-glmzz9zvA1rEwF2YgQhRiPTy3P4uZKxQudg?testcase_id=6450211937583104


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 12 by mmoroz@chromium.org, Jul 18 2016

Labels: -Stability-Libfuzzer

Comment 13 by caryclark@google.com, Jul 19 2016 

Fixed? Can't repro on ToT with any of the above test cases.

Comment 14 by gov...@chromium.org, Jul 19 2016 

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

Comment 15 by caryclark@google.com, Jul 19 2016

Status: Fixed (was: Started)
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 20 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 17 by ClusterFuzz, Jul 27 2016 

ClusterFuzz has detected this issue as fixed in range 406032:406205.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6374307836198912

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x610100007db0
Crash State:
  SkOpAngle::setSpans
  SkOpAngle::set
  SkOpSegment::calcAngles
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=406032:406205

Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dME2EMQRz-sq50bmtH6o8Gv5xP1i89P-PAvCmflR7foY4VxtztlkERMogkEeHyVHhUwsn-4nbF2VLaVBWAhq2hTCedwjjnk6j0Tm6M19wt2juoaM2kL0Zc0gWBCt5Cd48rQKKHtRkdMnpqkj-gfdrBcC_yA?testcase_id=6374307836198912

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 18 by awhalley@chromium.org, Jul 27 2016

Labels: -ReleaseBlock-Beta
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 26 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment