New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630649 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Stack-buffer-overflow in SkDCubic::searchRoots

Project Member Reported by ClusterFuzz, Jul 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4568376638963712

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-buffer-overflow WRITE 8
Crash Address: 0x7f47c8fc8038
Crash State:
  SkDCubic::searchRoots
  LineCubicIntersections::intersectRay
  LineCubicIntersections::intersect
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=405990:406128

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XTfPBio59RBnFLG_C3olcGWjcpsMuvSEZESbGk-e9jbTIASHBQkvhvUZ4s34ZfRydnPLuH6G8cQSO4zwwk-akBhFIlHkk33w7zuusuYNScmg8JepHgfRYfcrvlyvpl-3QW6g8b_-fnV-gNOn3W4GKY_1t4g?testcase_id=4568376638963712

Filer: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: caryclark@chromium.org reed@chromium.org reed@google.com
Components: Internals>Skia
Owner: caryclark@google.com
Status: Assigned (was: Untriaged)
Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 22 2016

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/8a8accbcd1958c1646246b9b994fb47a3b5a6021

commit 8a8accbcd1958c1646246b9b994fb47a3b5a6021
Author: caryclark <caryclark@google.com>
Date: Fri Jul 22 17:56:26 2016

limit number of searched roots

Extreme numbers can generate more than
three found cubic roots when the roots
are found through a binary search.

Fail in this case.

TBR=reed@google.com
BUG= 630649 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2176733002

Review-Url: https://codereview.chromium.org/2176733002

[modify] https://crrev.com/8a8accbcd1958c1646246b9b994fb47a3b5a6021/src/pathops/SkPathOpsCubic.cpp
[modify] https://crrev.com/8a8accbcd1958c1646246b9b994fb47a3b5a6021/tests/PathOpsOpTest.cpp

Project Member

Comment 4 by bugdroid1@chromium.org, Jul 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/84ce464c5a1ee48dc6786dfd12a68e89da941f13

commit 84ce464c5a1ee48dc6786dfd12a68e89da941f13
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Jul 22 20:36:38 2016

Roll src/third_party/skia/ 4c6e47a8a..f14916935 (4 commits).

https://chromium.googlesource.com/skia.git/+log/4c6e47a8a827..f1491693527a

$ git log 4c6e47a8a..f14916935 --date=short --no-merges --format='%ad %ae %s'
2016-07-22 bungeman Correct advances for 'monospace' fonts in PDF.
2016-07-22 mtklein Add SkRasterPipeline blitter.
2016-07-22 brianosman Bundle SkShader::asFragmentProcessor arguments in a struct
2016-07-22 caryclark limit number of searched roots

BUG= 630649 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_blink_rel
TBR=jcgregorio@google.com

Review-Url: https://codereview.chromium.org/2180483002
Cr-Commit-Position: refs/heads/master@{#407252}

[modify] https://crrev.com/84ce464c5a1ee48dc6786dfd12a68e89da941f13/DEPS

Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, Jul 23 2016

ClusterFuzz has detected this issue as fixed in range 407231:407346.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4568376638963712

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-buffer-overflow WRITE 8
Crash Address: 0x7f47c8fc8038
Crash State:
  SkDCubic::searchRoots
  LineCubicIntersections::intersectRay
  LineCubicIntersections::intersect
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=405990:406128
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407231:407346

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XTfPBio59RBnFLG_C3olcGWjcpsMuvSEZESbGk-e9jbTIASHBQkvhvUZ4s34ZfRydnPLuH6G8cQSO4zwwk-akBhFIlHkk33w7zuusuYNScmg8JepHgfRYfcrvlyvpl-3QW6g8b_-fnV-gNOn3W4GKY_1t4g?testcase_id=4568376638963712

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 23 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 29 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment