The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/8a8accbcd1958c1646246b9b994fb47a3b5a6021

commit 8a8accbcd1958c1646246b9b994fb47a3b5a6021
Author: caryclark <caryclark@google.com>
Date: Fri Jul 22 17:56:26 2016

limit number of searched roots

Extreme numbers can generate more than
three found cubic roots when the roots
are found through a binary search.

Fail in this case.

TBR=reed@google.com
BUG= 630649 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2176733002

Review-Url: https://codereview.chromium.org/2176733002

[modify] https://crrev.com/8a8accbcd1958c1646246b9b994fb47a3b5a6021/src/pathops/SkPathOpsCubic.cpp
[modify] https://crrev.com/8a8accbcd1958c1646246b9b994fb47a3b5a6021/tests/PathOpsOpTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/84ce464c5a1ee48dc6786dfd12a68e89da941f13

commit 84ce464c5a1ee48dc6786dfd12a68e89da941f13
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Jul 22 20:36:38 2016

Roll src/third_party/skia/ 4c6e47a8a..f14916935 (4 commits).

https://chromium.googlesource.com/skia.git/+log/4c6e47a8a827..f1491693527a

$ git log 4c6e47a8a..f14916935 --date=short --no-merges --format='%ad %ae %s'
2016-07-22 bungeman Correct advances for 'monospace' fonts in PDF.
2016-07-22 mtklein Add SkRasterPipeline blitter.
2016-07-22 brianosman Bundle SkShader::asFragmentProcessor arguments in a struct
2016-07-22 caryclark limit number of searched roots

BUG= 630649 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_blink_rel
TBR=jcgregorio@google.com

Review-Url: https://codereview.chromium.org/2180483002
Cr-Commit-Position: refs/heads/master@{#407252}

[modify] https://crrev.com/84ce464c5a1ee48dc6786dfd12a68e89da941f13/DEPS

ClusterFuzz has detected this issue as fixed in range 407231:407346.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4568376638963712

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-buffer-overflow WRITE 8
Crash Address: 0x7f47c8fc8038
Crash State:
  SkDCubic::searchRoots
  LineCubicIntersections::intersectRay
  LineCubicIntersections::intersect
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=405990:406128
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407231:407346

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XTfPBio59RBnFLG_C3olcGWjcpsMuvSEZESbGk-e9jbTIASHBQkvhvUZ4s34ZfRydnPLuH6G8cQSO4zwwk-akBhFIlHkk33w7zuusuYNScmg8JepHgfRYfcrvlyvpl-3QW6g8b_-fnV-gNOn3W4GKY_1t4g?testcase_id=4568376638963712

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot