New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 629455 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in SuperBlitter::blitH

Project Member Reported by ClusterFuzz, Jul 19 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4863802214711296

Fuzzer: afl_skia_path_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x60dfffffcd74
Crash State:
  SuperBlitter::blitH
  sk_fill_path
  SkScan::AntiFillPath
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95LXgLOEvXjMtsIb_UkfLYgG8Svo1vLUk-tehOUn_br_hGteJHmpUayXNh_z_umeWut0AyjtifxwfGvs8eQv4YsQmpRK9bUeg8XH_nci0ci80CHo0OsrHUtGj1qfSFTalL7EdTSQuioGoYv6ZEIIBUpPstx8g?testcase_id=4863802214711296


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by mmoroz@chromium.org, Jul 19 2016

Cc: metzman@google.com
Components: Internals>Skia
Labels: -Stability-Libfuzzer M-53 Pri-2
Owner: reed@chromium.org
Summary: Heap-buffer-overflow in SuperBlitter::blitH (was: Crash in SuperBlitter::blitH)
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 19 2016

Labels: Security_Impact-Head
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 19 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 19 2016

Labels: -Pri-2 Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 19 2016

Status: Assigned (was: Available)

Comment 6 by reed@chromium.org, Jul 19 2016

Owner: reed@google.com

Comment 7 by gov...@chromium.org, Jul 19 2016

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

Comment 8 by reed@google.com, Jul 20 2016

Cc: caryclark@google.com
Project Member

Comment 10 by bugdroid1@chromium.org, Jul 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a4804e5955fa16df51c669de5c2871e4446695b

commit 8a4804e5955fa16df51c669de5c2871e4446695b
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Wed Jul 20 19:22:42 2016

Roll src/third_party/skia/ ea70c4bb2..f2944815e (3 commits).

https://chromium.googlesource.com/skia.git/+log/ea70c4bb2239..f2944815e5e4

$ git log ea70c4bb2..f2944815e --date=short --no-merges --format='%ad %ae %s'
2016-07-20 kjlubick Add vulkan sdk to CIPD
2016-07-20 reed re-chop if we fail on a big-bad-cubic
2016-07-20 bungeman Improve assert reporting.

BUG= 629455 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_blink_rel
TBR=jcgregorio@google.com

Review-Url: https://codereview.chromium.org/2164053002
Cr-Commit-Position: refs/heads/master@{#406636}

[modify] https://crrev.com/8a4804e5955fa16df51c669de5c2871e4446695b/DEPS

Project Member

Comment 11 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 21 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Labels: -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-Head ReleaseBlock-Beta
I'm afraid sheriffbot's label changes were a hiccup - this is still a blocker for Friday's M53.  Any remaining actions before marking as fixed and requesting merge?
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 22 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 22 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Labels: -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-Head ReleaseBlock-Beta
Project Member

Comment 17 by sheriffbot@chromium.org, Jul 23 2016

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 18 by reed@google.com, Jul 25 2016

Cc: hcm@chromium.org
Project Member

Comment 20 by sheriffbot@chromium.org, Jul 26 2016

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Jul 27 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta
Project Member

Comment 23 by sheriffbot@chromium.org, Nov 2 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment