Issue metadata
Sign in to add a comment
|
Container-overflow in gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4633021013819392 Fuzzer: gpu_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow WRITE 4 Crash Address: 0x606000011a20 Crash State: gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM gpu::gles2::GLES2DecoderImpl::HandleScheduleCALayerFilterEffectsCHROMIUMImmediat gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407416:407611 Minimized Testcase (15.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UPDmMDSM5UiZmg-5f9nhTPfnbzlRf9rEietjbksLPYUXsqjzg_ESlM65czMOA2LlxxHzGFzstCKEI-IlVqrSxu8pLtFsRyyK7k-7kppA1ivq8GXPu6f7uuM6R9Nyu1hChtcIBG1Q4gWFK3wyWHWnfqWfdIg?testcase_id=4633021013819392 Filer: inferno See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 26 2016
We should call effects.resize(count) instead of .reserve(count).
,
Jul 26 2016
,
Jul 26 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2016
,
Jul 26 2016
,
Jul 26 2016
CL is written and passes CQ. Just waiting for a review from piman@: https://codereview.chromium.org/2184443004/
,
Jul 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3934224fb0d73e80b434a997c3e0d69e2c8d60a8 commit 3934224fb0d73e80b434a997c3e0d69e2c8d60a8 Author: erikchen <erikchen@chromium.org> Date: Tue Jul 26 20:37:18 2016 Fix container overflow in DoScheduleCALayerFilterEffectsCHROMIUM. BUG= 631319 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2184443004 Cr-Commit-Position: refs/heads/master@{#407907} [modify] https://crrev.com/3934224fb0d73e80b434a997c3e0d69e2c8d60a8/gpu/command_buffer/service/gles2_cmd_decoder.cc
,
Jul 26 2016
,
Jul 27 2016
ClusterFuzz has detected this issue as fixed in range 407873:408034. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4633021013819392 Fuzzer: gpu_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Container-overflow WRITE 4 Crash Address: 0x606000011a20 Crash State: gpu::gles2::GLES2DecoderImpl::DoScheduleCALayerFilterEffectsCHROMIUM gpu::gles2::GLES2DecoderImpl::HandleScheduleCALayerFilterEffectsCHROMIUMImmediat gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407416:407611 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=407873:408034 Minimized Testcase (15.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UPDmMDSM5UiZmg-5f9nhTPfnbzlRf9rEietjbksLPYUXsqjzg_ESlM65czMOA2LlxxHzGFzstCKEI-IlVqrSxu8pLtFsRyyK7k-7kppA1ivq8GXPu6f7uuM6R9Nyu1hChtcIBG1Q4gWFK3wyWHWnfqWfdIg?testcase_id=4633021013819392 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2016
,
Nov 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jul 26 2016Components: Internals>GPU>Internals
Owner: erikc...@chromium.org
Status: Assigned (was: Untriaged)