b.kelemen@samsung.com: I am not sure if you are the right owner but I'm just the sheriff and I know a lot less about the code than you do so if you are not the right owner, please help find the right owner and triage this bug appropriately. Thank you!

Forgot to add: Assigning you as the owner because one of your CLs changed the topmost frame last.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

There is no security risk to passing uninitialized data to SkUnPreMultiply::PMColorToColor().  It handles all 2^32 inputs.

However, this implies you have an SkBitmap containing uninitialized pixels.  That's not usually a good state to be in once done drawing.

It looks like PaintController::checkUnderInvalidation() is diagnostic code.  I would contact wangxianzhu, its author.  I cannot CC him without you first CC'ing mtklein@chromium.org to this bug.

I think the simplest fix is probably to call bitmap.eraseColor(0x00000000); in blink::pictureToBitmap().

Based on #6 this shouldn't be a release blocker, removing the ReleaseBlock-Beta label.

ClusterFuzz has detected this issue as fixed in range 416466:416526.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5973049612697600

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkUnPreMultiply::PMColorToColor
  SkBitmap::getColor
  blink::DrawingDisplayItem::equals
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=416257:416283
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=416466:416526

Minimized Testcase (1.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Gc0myEKHyAN_hwjp2vgR13a_JDFS8i8eamHD_4ctv3C1qkiOmbXQUMi7T7Gw8dYF6Mf8IRsuNLq2SqvcDTynrqyN6G0YO6RKxL82EOlLtV5mMBtv1aBEChQMXQ0RkkSqPaK428gWd9GXZxrTQ1hkJVHAMlA?testcase_id=5973049612697600

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot