This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

I'm afraid sheriffbot's label changes were a hiccup - this is still a blocker for Friday's M53. 

Is this still a problem? I can no longer reproduce it locally.

I request a retry. Here is the log:

[2016-07-25 17:50:19] reed@google.com: Redo task(s): progression
[2016-07-25 11:02:10] clusterfuzz-linux-0086: Progression task started: r407419.
[2016-07-25 11:02:31] clusterfuzz-linux-0086: Progression task in-progress: Testing r405946:r407419.
[2016-07-25 11:07:18] clusterfuzz-linux-0086: Progression task errored out: Known crash revision 405946 did not crash.
[2016-07-25 11:07:18] clusterfuzz-linux-0086: Progression task errored out: Test case appears to be flaky.
[2016-07-25 11:08:37] clusterfuzz-linux-0335: Blame task started.
[2016-07-25 11:08:49] clusterfuzz-linux-0335: Blame task finished.

ClusterFuzz has detected this issue as fixed in range 406564:406863.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5402857453125632

Fuzzer: afl_skia_path_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x603000006b20
Crash State:
  SuperBlitter::blitH
  sk_fill_path
  SkScan::AntiFillPath
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=406564:406863

Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_rXA6_0bXIeYqLO5b_jwP_qY65TQzGcEo9iwhEYE4UtCSX22xfAfT608k6o0cdw9XIq-tPZQsGlaBnd-EQOWMkWWgoBapOANColo3mQPfMU5lxzFa7oSR1RhJM7KP4c3CEBBMMzkxRP4IQ2Ou38uZVw4TIA?testcase_id=5402857453125632

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M53 (branch: 2785)

Please try to merge your change to M53 branch 2785 asap so we can take it for this week beta release on Wednesday. Thank you very much.

path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0

path.lineTo(SkBits2Float(0xcdafcdcd), SkBits2Float(0x41423fcd));  // -3.68688e+08f, 12.1406f

path.conicTo(SkBits2Float(0x414140ed), SkBits2Float(0x41414141), SkBits2Float(0x41414141), SkBits2Float(0x41264141), SkBits2Float(0x0000e1c8));  // 12.0784f, 12.0784f, 12.0784f, 10.3909f, 8.09951e-41f

path.cubicTo(SkBits2Float(0xcdcdcd00), SkBits2Float(0xcdcdcdcd), SkBits2Float(0xcdcdcdcd), SkBits2Float(0xcdcdcdcd), SkBits2Float(0x423fcdcd), SkBits2Float(0x40f79341));  // -4.31596e+08f, -4.31602e+08f, -4.31602e+08f, -4.31602e+08f, 47.951f, 7.73673f

path.lineTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.close();

This seems to trigger an assert in debug-build...

We're cutting M53 Beta RC today for release tomorrow. Please try to merge your change to M53 branch 2785 before 5:30 PM PT today so we can take it for this week beta. Thank you.

I'm removing the 53 merge labels, sheriffbot put them on erroneously as something was detected as fixed, but there is no target CL.  Nothing to merge here (yet).

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot