Crash in blink::ImagePattern::ImagePattern |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5433548335218688 Fuzzer: mbarbella_js_mutation_layout Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000003 Crash State: blink::ImagePattern::ImagePattern blink::ImagePattern::create blink::Pattern::createImagePattern Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=416628:417590 Minimized Testcase (3.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97lzGWbh48YfG86siTV9EYpNfBGthQUW50b7p-qb9OpoFy948OTHJxuESGmYYOljN7GROGBu60xuBBcqfqpfwu8kX_pfrcNclrFxaUv0HvAUeCacL2MgSWVQC7cRgYVzpElvC9kVi6UdKbroT-BMSddaU-0VQ?testcase_id=5433548335218688 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 14 2016
I guess I know why the regression happens in Chromium revision 416628:417590 and yet my two CLs are outside that range. It's probably this CL (https://chromium.googlesource.com/chromium/src/+/980562f70d53ff313d4f5cd885c70248d3dd902a) that's modifying the function when OffscreenCanvas is a CanvasSourceImage; it may introduce a possibility that the image is null and the status is normal. +cc junov. Nevertheless, I got a CL that's fixing it now (https://codereview.chromium.org/2344573002/).
,
Sep 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce494afba26d386e562b8e8d84ef707d5c54bfc3 commit ce494afba26d386e562b8e8d84ef707d5c54bfc3 Author: xlai <xlai@chromium.org> Date: Thu Sep 15 19:05:12 2016 Correct SourceImageStatus in OffscreenCanvas::getSourceImageForCanvas The crash in constructor of ImagePattern may be due to the fact that image passed in as its constructor argument is nullptr. By tracking all the call trace backwards, we find the image creation originates from BaseRenderingContext2D::createPattern, where the SourceImageStatus indicates what corresponding action to do. But this SourceImageStatus was wrongly set for OffscreenCanvas, in particular, in the function OffscreenCanvas::getSourceImageForCanvas. This CL corrects it and makes sure that if the image is null, BaseRenderingContext2D::createPattern will return Image::nullImage() instead of nullptr. BUG= 646654 Review-Url: https://codereview.chromium.org/2344573002 Cr-Commit-Position: refs/heads/master@{#418927} [add] https://crrev.com/ce494afba26d386e562b8e8d84ef707d5c54bfc3/third_party/WebKit/LayoutTests/fast/canvas/OffscreenCanvas-empty-image-source.html [modify] https://crrev.com/ce494afba26d386e562b8e8d84ef707d5c54bfc3/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.cpp
,
Oct 18 2016
This bug is already fixed.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Sep 13 2016Labels: M-55 Te-Logged
Owner: xlai@chromium.org
Status: Assigned (was: Untriaged)