Issue 627804 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 623669
Owner:	mtklein@chromium.org
Closed:	Jul 2016
Components:	Internals>Skia
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer M-53 Clusterfuzz

Crash in SkPixelRef::SkPixelRef

Project Member Reported by ClusterFuzz, Jul 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6622397663019008

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000004
Crash State:
  SkPixelRef::SkPixelRef
  SkMallocPixelRef::NewZeroed
  SkSpecialSurface::MakeRaster
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=357565:358520

Minimized Testcase (0.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Z6dktJrLTIY0ixdqR_dA6U5K4bu93L6_d5dY0RZE3pW0QTIOQxyf3tEI6gyfKiFYmaqpHnpJ-vfreWfk3W8yJha4fd9rXr7ihbEnPTRnKV7tyPAsL-yv0d2VFK3hddTFPl0yk72jp6yZmFjx4XDblL6eSUA?testcase_id=6622397663019008

Filer: kavvaru

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by kavvaru@chromium.org, Jul 13 2016

Components: Internals>Skia Tools>Test>FindIt>CorrectResult
Labels: Te-Logged M-53
Owner: mtklein@chromium.org
Status: Assigned (was: Available)

Regression CL ::
https://chromium.googlesource.com/chromium/src/+log/3bf4c3c36d1d2fa3a477287b66a0c559ed1ddfa7..b89e2a2a5560d3bc5909c1cf7a3aed5446680489?pretty=fuller

Skia CL ::
https://chromium.googlesource.com/skia/+log/7600183ba7d8c8df6fbba1b32a73e6394216754e..844a0b425741f07cb233332405143931586bbb7d?pretty=fuller

Possible suspect from the above skia roll
https://codereview.chromium.org/1430593007

mtklein@ Could you please look into this issue if it is related to your change,else please route this to an appropriate owner for this issue.

Thanks,

Comment 2 by mtklein@chromium.org, Jul 13 2016

Mergedinto: 623669
Status: Duplicate (was: Assigned)

Looks like the same as 623669.

We've also seen this in 626980, where calloc is not involved.  We see the same problem through both SkMallocPixelRef::NewAllocate and SkMallocPixelRef::NewZeroed.

Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 4 by ClusterFuzz, Jul 13 2017

ClusterFuzz has detected this issue as fixed in range 485950:486007.

Detailed report: https://clusterfuzz.com/testcase?key=6622397663019008

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x00000004
Crash State:
  SkPixelRef::SkPixelRef
  SkMallocPixelRef::MakeZeroed
  SkSpecialSurface::MakeRaster
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=357565:358520
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=485950:486007

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6622397663019008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 627804 link

Issue metadata

Crash in SkPixelRef::SkPixelRef

Issue description

Comment 1 by kavvaru@chromium.org, Jul 13 2016

Comment 1 Deleted

Comment 2 by mtklein@chromium.org, Jul 13 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Comment 3 Deleted

Comment 4 by ClusterFuzz, Jul 13 2017

Comment 4 Deleted

Sign in to add a comment