The result is a list of CLs that change the crashed files.

Author: erikchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/744e856254e98e5cacf311d5ee989e2fa5cb3252
Time: Mon Jul 25 18:08:36 2016
Lines 11023-11037 of file gles2_cmd_decoder.cc which potentially caused crash are changed in this cl (frame #0, "gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM").
Minimum distance from crash line to modified line: 0. (file: gles2_cmd_decoder.cc, crashed on: 11023, modified: 11023).

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals

We should call effects.resize(count) instead of .reserve(count).

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

CL is written and passes CQ. Just waiting for a review from piman@:
https://codereview.chromium.org/2184443004/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3934224fb0d73e80b434a997c3e0d69e2c8d60a8

commit 3934224fb0d73e80b434a997c3e0d69e2c8d60a8
Author: erikchen <erikchen@chromium.org>
Date: Tue Jul 26 20:37:18 2016

Fix container overflow in DoScheduleCALayerFilterEffectsCHROMIUM.

BUG= 631319 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2184443004
Cr-Commit-Position: refs/heads/master@{#407907}

[modify] https://crrev.com/3934224fb0d73e80b434a997c3e0d69e2c8d60a8/gpu/command_buffer/service/gles2_cmd_decoder.cc

ClusterFuzz has detected this issue as fixed in range 407873:408034.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4633021013819392

Fuzzer: gpu_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Container-overflow WRITE 4
Crash Address: 0x606000011a20
Crash State:
  gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM
  gpu::gles2::GLES2DecoderImpl::HandleScheduleCALayerFilterEffectsCHROMIUMImmediat
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407416:407611
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407873:408034

Minimized Testcase (15.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UPDmMDSM5UiZmg-5f9nhTPfnbzlRf9rEietjbksLPYUXsqjzg_ESlM65czMOA2LlxxHzGFzstCKEI-IlVqrSxu8pLtFsRyyK7k-7kppA1ivq8GXPu6f7uuM6R9Nyu1hChtcIBG1Q4gWFK3wyWHWnfqWfdIg?testcase_id=4633021013819392

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot