New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 647189 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ImageBuffer::newSkImageSnapshot

Project Member Reported by ClusterFuzz, Sep 15 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5622825161588736

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  blink::ImageBuffer::newSkImageSnapshot
  blink::HTMLCanvasElement::toImageData
  blink::HTMLCanvasElement::toDataURLInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=415934:416243

Minimized Testcase (1.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WqOpCMIcUU090sqtEQze3WISy5hRb9F1ZQxixdarz9sI3WyjTPeUpkhJXC8wXH26PJTy2WqIxE6hQa1gv5Lx7P9l_27d8bpThJYOsPSiNltkxx4mHjsgHqNmFxLhuJ-b4i5g77Eh2HN70i1I94c4uomM7aw?testcase_id=5622825161588736

Issue manually filed by: tkonchada

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink
Labels: Findit-for-crash M-55 Te-Logged
Owner: junov@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: junov@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ec3bf2dcd1319333c1253db22c6c8f3e781c65a6
Time: Wed Aug 19 00:56:58 2015
The CL last changed line 188 of file ImageBuffer.cpp, which is stack frame 0.

Author: junov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/bce6e17e44e6ce516ed63b6360823dea10461b3e
Time: Fri Feb 05 18:52:00 2016
The CL last changed line 606 of file HTMLCanvasElement.cpp, which is stack frame 1.

Author: junov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/bce6e17e44e6ce516ed63b6360823dea10461b3e
Time: Fri Feb 05 18:52:00 2016
The CL last changed line 636 of file HTMLCanvasElement.cpp, which is stack frame 2.

Author: xlai
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/9dcdf861954dd8294faf3eefde89ea228f99c322
Time: Fri Sep 25 21:05:24 2015
The CL last changed line 684 of file HTMLCanvasElement.cpp, which is stack frame 3.

Author: vivek.vg@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f82dca3c5c2ece3448056966548e81cf67b68941
Time: Wed Feb 18 01:02:28 2015
The CL last changed line 117 of file HTMLCanvasElement.h, which is stack frame 4.

Suspected Project: chromium
Suspected Component: Blink>HTML

Possible suspect : https://chromium.googlesource.com/chromium/src/+/bce6e17e44e6ce516ed63b6360823dea10461b3e

Please reassign if this is not related to your change.
Project Member

Comment 2 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 418536:418563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5622825161588736

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  blink::ImageBuffer::newSkImageSnapshot
  blink::HTMLCanvasElement::toImageData
  blink::HTMLCanvasElement::toDataURLInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=415934:416243
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=418536:418563

Minimized Testcase (1.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WqOpCMIcUU090sqtEQze3WISy5hRb9F1ZQxixdarz9sI3WyjTPeUpkhJXC8wXH26PJTy2WqIxE6hQa1gv5Lx7P9l_27d8bpThJYOsPSiNltkxx4mHjsgHqNmFxLhuJ-b4i5g77Eh2HN70i1I94c4uomM7aw?testcase_id=5622825161588736

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Sep 15 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment