Data race in blink::ImageFrame::setSizeAndColorProfile |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6233433015844864 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f04ab9adab0 Crash State: blink::ImageFrame::setSizeAndColorProfile blink::PNGImageDecoder::rowAvailable pngRowAvailable Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=411233:411257 Minimized Testcase (4.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95gjbp8kd6tz-24t4xYut43Ljc3PkGLsF-26vztmpyU260MqYS9YDjgjuRccjPMIfbB8E_hHsOWT3ysygLXHAAr2-36QUNQPD9q_wXKtynuYtTP9G7abmqsMvDu6cFvynNkB3OG6xFuwHlDafh5Bby8IRHQog?testcase_id=6233433015844864 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 11 2016
Ah, I think we need to read the ICC profile prior to decode.
,
Aug 11 2016
No, that's not it. This is not caused by r409942 From the report: "Location is global blink::RuntimeEnabledFeatures::isColorCorrectRenderingEnabled", that flag was not added until r411241 This is from r411241, which added that flag. I suspect that we're hitting this issue because we allow tests to mess with this flag in RuntimeEnabledFeatures.in.
,
Aug 11 2016
,
Aug 11 2016
Issue 637110 has been merged into this issue.
,
Aug 11 2016
Adding junov -- do you know offhand of issues with RuntimeEnabledFeatures hitting these sorts of problems?
,
Aug 15 2016
This is weird, there is nothing in the minimized test case or the repro config that touches the ColorCorrectRendering flag. Are we sure the flag is always correctly initialized?
,
Sep 2 2016
That should all be auto-generated code, so I wouldn't think it to make a difference.
,
Oct 9 2016
ClusterFuzz has detected this issue as fixed in range 423512:423881. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6233433015844864 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Data race READ 1 Crash Address: 0x7f04ab9adab0 Crash State: blink::ImageFrame::setSizeAndColorProfile blink::PNGImageDecoder::rowAvailable pngRowAvailable Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=411233:411257 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=423512:423881 Minimized Testcase (4.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95gjbp8kd6tz-24t4xYut43Ljc3PkGLsF-26vztmpyU260MqYS9YDjgjuRccjPMIfbB8E_hHsOWT3ysygLXHAAr2-36QUNQPD9q_wXKtynuYtTP9G7abmqsMvDu6cFvynNkB3OG6xFuwHlDafh5Bby8IRHQog?testcase_id=6233433015844864 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 9 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mmohammad@chromium.org
, Aug 11 2016Owner: ccameron@chromium.org
Status: Assigned (was: Untriaged)