ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5722347892113408

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5722347892113408

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7fc9a4ad2d98
Crash State:
  S32_opaque_D32_filter_DX_SSSE3
  BitmapProcShaderContext::shadeSpan
  SkColorFilterShader::FilterShaderContext::shadeSpan
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=268656:269696

Minimized Testcase (0.70 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97yygVZApZmTGyNkI3i1jaDi_aDnSoeukYrmaaovgo1iUt7RlUc22vUhaLrmXj9dzhyRg6zkNSCl629VG_EslEfBUNW7Ijfg1jse8h2gSYbecqsSmOj1htG0hwj9UkGNswI7PVBk1Yi2V191A8rC0qoBZGAxA?testcase_id=5722347892113408
<head>
<script>
var x = {};
function crash() {
    x[648] = document.createElementNS('http://www.w3.org/1999/xhtml', 'canvas');
    x[855] = x[648].getContext('2d', { alpha: true });
'http://www.w3.org/1999/xhtml', 'canvas';
    x[1610] = document.createElementNS('http://www.w3.org/1999/xhtml', 'canvas');
    x[2330] = x[1610].getContext('2d', { willReadFrequently: true, alpha: false });
    x[1610].width = 9171;
'2d', { willReadFrequently: false, alpha: true };
    x[2330].strokeRect(0.3649263580713715, 128, 8, 32);
    x[855].shadowBlur = 512;
    x[855].shadowColor = "red";
    x[855].drawImage(x[1610], 0.4827066851972385, 8, 0.8359630000395614, 0.10588275643668202);
}
</script>
<body onload="crash();"</html>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

seems this has been there for a while

mtklein -> can you take a look at this issue?

Tomorrow I will take a look too

mtklein: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mtklein: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mtklein@, have you had a chance to take a look? I re-uploaded the testcase to check if that's still reproducible.

CC'ing more skia folks.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4595428811341824

I have not yet looked.

I've started looking at this.

S32_opaque_D32_filter_DX_SSSE3 is rather complex.  S32_opaque_D32_filter_DX_SSE2 is still not exactly straightforward, but a lot simpler to follow.  I took a look at both, paying particular attention to the loads and stores, and nothing jumped out at me as buggy looking.  I'm more confident about the _SSE2 version than the _SSSE3 version.

I'll see which of the _SSSE3 and _SSE2 options I can get to repro this.

I'm afraid I haven't been able to reproduce this with ASAN builds of content_shell or chrome.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot