Hello Heather,

I'm hoping you can help triage this ticket (and https://bugs.chromium.org/p/chromium/issues/detail?id=640233).  

Apparently fmenozzi@google.com submitted this changelist, but fmenozzi cannot be found in who/, and doesn't seem to exist as fmenozzi@chromium.org.  Can you shed some light on this person Heather?

We need somebody to handle these security bugs that seem to have been introduced by their CL.


https://chromium.googlesource.com/skia.git/+/68d952cf4061dc455d6a6040ce1e4625e4f2ab29
Time: Fri Aug 19 15:56:56 2016
Lines 902, 907 of file SkGradientShader.cpp which potentially caused crash are changed in this cl (frame #0, "SkGradientShader::MakeTwoPointConical").
Minimum distance from crash line to modified line: 0. (file: SkGradientShader.cpp, crashed on: 902, modified: 902).



Many thanks!

fmenozzi@ was an intern who has just finished his stint at Google. Trying his host or others who have reviewed some of the changes.

I need someone to add me to the other ticket to be able to take action.

On it, but would like access to the original bug.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/54d9b6688d3f023c40726c0ea1ab2629e54ab306

commit 54d9b6688d3f023c40726c0ea1ab2629e54ab306
Author: tomhudson <tomhudson@google.com>
Date: Fri Sep 16 21:22:49 2016

Improve ColorStopOptimizer safety

Could potentially access uninitialized memory.

BUG= 647481 
R=brianosman@google.com
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2345343002

Review-Url: https://codereview.chromium.org/2345343002

[modify] https://crrev.com/54d9b6688d3f023c40726c0ea1ab2629e54ab306/src/effects/gradients/SkGradientShader.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c434bdbf3986af89f6d546efaa001ab4e5fac230

commit c434bdbf3986af89f6d546efaa001ab4e5fac230
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Sep 16 23:03:25 2016

Roll src/third_party/skia/ b6318bf44..67ac33e1f (5 commits).

https://chromium.googlesource.com/skia.git/+log/b6318bf44dd8..67ac33e1f1a1

$ git log b6318bf44..67ac33e1f --date=short --no-merges --format='%ad %ae %s'
2016-09-16 bungeman Remove SK_DECLARE_LEGACY_CREATE_FROM_FONTDATA.
2016-09-16 msarett Fix filling of incomplete images in SkSampledCodec
2016-09-16 halcanary SkPDF:  Implement /ActualText to make text extraction correct.
2016-09-16 mtklein format GN files, and invert if->config to config->if
2016-09-16 tomhudson Improve ColorStopOptimizer safety

BUG= 647481 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
TBR=djsollen@google.com

Review-Url: https://codereview.chromium.org/2348003002
Cr-Commit-Position: refs/heads/master@{#419317}

[modify] https://crrev.com/c434bdbf3986af89f6d546efaa001ab4e5fac230/DEPS

ClusterFuzz has detected this issue as fixed in range 419286:419330.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4671799730372608

Fuzzer: inferno_twister
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkGradientShaderBase::SkGradientShaderBase
  SkTwoPointConicalGradient::SkTwoPointConicalGradient
  SkGradientShader::MakeTwoPointConical
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=413208:413324
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=419286:419330

Minimized Testcase (0.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952qGXnd7RDYp8MlhtD62Thyrnufy8gSE8ipVhH-LQYggsIAh9aJQRDl57LxXs5i4FgysqaCZtIAn4gGJg3_7ErviBZTQbqsSYIh-cA3chXx-dkb5iss5ZyvJaY_hMC5j3DGfBMd3OJenqu4MF3MxPpvL2W4g?testcase_id=4671799730372608

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Approving for M54, per discussion we only need one SKIA change that looks safe and will fix this security bug.

tomhudson@ - is it reasonable to just cherry pick https://skia.googlesource.com/skia.git/+/54d9b6688d3f023c40726c0ea1ab2629e54ab306 for M54, rather than repeat the roll in #9 ?

awhalley@: by itself it should be a safe cherrypick.

I've left Skia/Chrome so no longer am set up to do the work myself, unfortunately.

Thanks for the fix Tom, I'll handle the merge.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/a21f10dd8b19c6cb47d07d94d0a0525c16461969

commit a21f10dd8b19c6cb47d07d94d0a0525c16461969
Author: fmalita <fmalita@chromium.org>
Date: Mon Oct 10 13:40:34 2016

[M54] Improve ColorStopOptimizer safety

Could potentially access uninitialized memory.

M54 cherry-pick for  http://crbug.com/647481 

BUG= 647481 
TBR=brianosman@google.com
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2345343002

Review-Url: https://codereview.chromium.org/2345343002
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2405853002

[modify] https://crrev.com/a21f10dd8b19c6cb47d07d94d0a0525c16461969/src/effects/gradients/SkGradientShader.cpp

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot