New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 640239 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 638223
Owner:
Last visit > 30 days ago
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in SuperBlitter::blitH

Project Member Reported by ClusterFuzz, Aug 23 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5027901093445632

Fuzzer: afl_skia_path_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x6160000077a4
Crash State:
  SuperBlitter::blitH
  walk_convex_edges
  sk_fill_path
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96OzyKk_TlK3QY4D4VjBlDXnNBRdXpQNiwhzhNwyyIpN_aXD79JFL7CLGrtMT25UAES3RzM5lBLVdfqgoopoewXxoDVXKydMxG5qZzGg37qW955RvcdrZflIUjFHSrUhl4zGUU5lv4QZDyqBBtPrrZKhVdreg?testcase_id=5027901093445632

Issue manually filed by: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: reed@chromium.org
Components: Internals>Skia
Labels: Pri-1
Owner: caryclark@chromium.org
Status: Assigned (was: Untriaged)
Mergedinto: 638223
Status: Duplicate (was: Assigned)
When I locally apply the fix for 638223

https://codereview.chromium.org/2268073004/

the bug goes away
Project Member

Comment 3 by ClusterFuzz, Aug 25 2016

ClusterFuzz has detected this issue as fixed in range 414068:414117.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5027901093445632

Fuzzer: afl_skia_path_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x6160000077a4
Crash State:
  SuperBlitter::blitH
  walk_convex_edges
  sk_fill_path
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=414068:414117

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96OzyKk_TlK3QY4D4VjBlDXnNBRdXpQNiwhzhNwyyIpN_aXD79JFL7CLGrtMT25UAES3RzM5lBLVdfqgoopoewXxoDVXKydMxG5qZzGg37qW955RvcdrZflIUjFHSrUhl4zGUU5lv4QZDyqBBtPrrZKhVdreg?testcase_id=5027901093445632

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 2 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment