Crash in blink::ImageBitmapRenderingContext::transferFromImageBitmap |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5281397355053056 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000003 Crash State: blink::ImageBitmapRenderingContext::transferFromImageBitmap blink::ImageBitmapRenderingContextV8Internal::transferFromImageBitmapMethod v8::internal::FunctionCallbackArguments::Call Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=404345:404363 Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv941wUezLQ2E5gGvt_iAUnykumwM6Xz3hagTOLep_Vc7ZK0Tsu3JYGS3M1nMs4oR3_eeq2lgfp4OsNOluInxjHxg2jwWmJ1_r4kKEiJKRql7vATmv4OvzBoFImWa8aED52H0cJi6d071HEFdM-SEQe3MGL9QsA?testcase_id=5281397355053056 <canvas id="output"> <script> __v_5 = 102; __v_4 = 100; __v_0 = new OffscreenCanvas(__v_5, __v_4); var __v_6 = __v_0.getContext('webgl'); __v_1 = __v_0.transferToImageBitmap(); __v_1 = __v_0.transferToImageBitmap(); __v_3 = document.getElementById("output"); __v_2 = __v_3.getContext('bitmaprenderer'); __v_2.transferFromImageBitmap(__v_1); </script> Filer: kavvaru See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
,
Jul 12 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 12 2016
Unfortunately I cannot repro on my workstation. But it looks pretty straightforward: null-pointer deref in ImageBitmapRenderingContext::transferFromImageBitmap() (https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/imagebitmap/ImageBitmapRenderingContext.cpp?rcl=0&l=35). StaticBitmap::imageForCurrentFrame() can now return nullptr for various reasons, and we need to handle that case in transferFromImageBitmap().
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cf378d00d56930dabf6c4cc4d141f9f2d3803a59 commit cf378d00d56930dabf6c4cc4d141f9f2d3803a59 Author: xidachen <xidachen@chromium.org> Date: Wed Jul 13 12:54:35 2016 Return a transparent black ImageBitmap when mailbox is invalid In Webgl's transferToImageBitmap(), we create an ImageBitmap from the drawingBuffer's mailbox. When calling transferToImageBitmap() twice, the mailbox is invalid in the second call. In this case, we should return an ImageBitmap that is the same size as the drawingBuffer but should be transparent black. Corresponding layout test has been updated to reflect this case. BUG= 627374 CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win_optional_gpu_tests_rel;tryserver.chromium.mac:mac_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2139353003 Cr-Commit-Position: refs/heads/master@{#405132} [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-expected.html [add] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-invalid-mailbox-expected.html [add] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-invalid-mailbox.html [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap.html [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cf378d00d56930dabf6c4cc4d141f9f2d3803a59 commit cf378d00d56930dabf6c4cc4d141f9f2d3803a59 Author: xidachen <xidachen@chromium.org> Date: Wed Jul 13 12:54:35 2016 Return a transparent black ImageBitmap when mailbox is invalid In Webgl's transferToImageBitmap(), we create an ImageBitmap from the drawingBuffer's mailbox. When calling transferToImageBitmap() twice, the mailbox is invalid in the second call. In this case, we should return an ImageBitmap that is the same size as the drawingBuffer but should be transparent black. Corresponding layout test has been updated to reflect this case. BUG= 627374 CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win_optional_gpu_tests_rel;tryserver.chromium.mac:mac_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2139353003 Cr-Commit-Position: refs/heads/master@{#405132} [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-expected.html [add] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-invalid-mailbox-expected.html [add] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap-invalid-mailbox.html [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/LayoutTests/fast/canvas/webgl/offscreenCanvas-transferToImageBitmap.html [modify] https://crrev.com/cf378d00d56930dabf6c4cc4d141f9f2d3803a59/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
,
Jul 18 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by kavvaru@chromium.org
, Jul 12 2016Labels: Te-Logged M-53
Owner: fmalita@chromium.org
Status: Assigned (was: Available)