This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

yunchao.he@intel.com -- can you please take a look at this bug and help triage this asap? Thanks.

Sorry, I have no access to the instructions to reproduce this crash issue. 

@zmo and @kbr and @piman, could you take a look at this p1 bug? 

Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8

I suspect this is not a regression, but just got found by the fuzzer after increasing coverage with https://codereview.chromium.org/2299413003

I'll take a look.

Yep - https://codereview.chromium.org/2315773002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0c7eb6cf1e79164fc2a261a25d063252e7a0096

commit c0c7eb6cf1e79164fc2a261a25d063252e7a0096
Author: piman <piman@chromium.org>
Date: Tue Sep 06 20:36:04 2016

Correctly limit glTexStorage*(GL_TEXTURE_RECTANGLE_ARB, ...) to 1 mip level

BUG= 643935 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2315773002
Cr-Commit-Position: refs/heads/master@{#416708}

[modify] https://crrev.com/c0c7eb6cf1e79164fc2a261a25d063252e7a0096/gpu/command_buffer/service/gles2_cmd_decoder_unittest_textures.cc
[modify] https://crrev.com/c0c7eb6cf1e79164fc2a261a25d063252e7a0096/gpu/command_buffer/service/texture_manager.cc

ClusterFuzz has detected this issue as fixed in range 416652:416734.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5735696365256704

Fuzzer: afl_gpu_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60a000002a88
Crash State:
  gpu::gles2::Texture::SetLevelInfo
  gpu::gles2::TextureManager::SetLevelInfo
  gpu::gles2::GLES2DecoderImpl::TexStorageImpl
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=416342:416450
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=416652:416734

Minimized Testcase (2.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97CHnv5qvEvOQpxCfFPScUcqaIPGQy6SeTwY1KDFDI7Y8HZB6jP1Sq3b_IKg9eUwmEj5zwb2ahiHqnsdpjJADbVLbKhHYd0Zr0yXuvMWBELl-KfpqPVwzbHeYyk8XY8XkmDtfEozdDQSpAj7XtYa4nrDWzTCw?testcase_id=5735696365256704

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

It's fixed on trunk, do we want to merge to M54?
Note, it's not a regression, it's been broken virtually forever.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6136759230f2769649e5b41ab070da84f45ac8ad

commit 6136759230f2769649e5b41ab070da84f45ac8ad
Author: Antoine Labour <piman@chromium.org>
Date: Wed Sep 07 23:36:23 2016

Correctly limit glTexStorage*(GL_TEXTURE_RECTANGLE_ARB, ...) to 1 mip level

BUG= 643935 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2315773002
Cr-Commit-Position: refs/heads/master@{#416708}
(cherry picked from commit c0c7eb6cf1e79164fc2a261a25d063252e7a0096)

Review URL: https://codereview.chromium.org/2325493002 .

Cr-Commit-Position: refs/branch-heads/2840@{#224}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/6136759230f2769649e5b41ab070da84f45ac8ad/gpu/command_buffer/service/gles2_cmd_decoder_unittest_textures.cc
[modify] https://crrev.com/6136759230f2769649e5b41ab070da84f45ac8ad/gpu/command_buffer/service/texture_manager.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6136759230f2769649e5b41ab070da84f45ac8ad

commit 6136759230f2769649e5b41ab070da84f45ac8ad
Author: Antoine Labour <piman@chromium.org>
Date: Wed Sep 07 23:36:23 2016

Correctly limit glTexStorage*(GL_TEXTURE_RECTANGLE_ARB, ...) to 1 mip level

BUG= 643935 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2315773002
Cr-Commit-Position: refs/heads/master@{#416708}
(cherry picked from commit c0c7eb6cf1e79164fc2a261a25d063252e7a0096)

Review URL: https://codereview.chromium.org/2325493002 .

Cr-Commit-Position: refs/branch-heads/2840@{#224}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/6136759230f2769649e5b41ab070da84f45ac8ad/gpu/command_buffer/service/gles2_cmd_decoder_unittest_textures.cc
[modify] https://crrev.com/6136759230f2769649e5b41ab070da84f45ac8ad/gpu/command_buffer/service/texture_manager.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot