Author: junov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/9d280866e11c2c038005452c8d14fb3ffa91ac2c
Time: Wed Sep 14 14:59:02 2016
File HTMLCanvasElement.cpp is changed in this cl (and is part of stack frame #2, "blink::HTMLCanvasElement::toDataURLInternal"; frame #3, "blink::HTMLCanvasElement::toDataURL")
Minimum distance from crash line to modified line: 12. (file: HTMLCanvasElement.cpp, crashed on: 661, modified: 649).

Suspected Project: chromium
Suspected Component: Blink>HTML

junov@, could you please take a look and please help us to find correct owner if it is not related your changes.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7049607698f748d6c8f6024557fe2a9c4362ec2e

commit 7049607698f748d6c8f6024557fe2a9c4362ec2e
Author: junov <junov@chromium.org>
Date: Fri Sep 23 16:32:31 2016

Make toDataURL robust with respect to allocation failures

It is not safe to assume that ImageData::create always returns
a valid point.  Internally it uses DOMUint8ClampedArray::createOrNull
which returns null instead of crashing when allocation fails.
This change adds the appropriate null pointer checks to take
that into account.

BUG= 647824 
NOTRY=true

Review-Url: https://codereview.chromium.org/2361493003
Cr-Commit-Position: refs/heads/master@{#420625}

[modify] https://crrev.com/7049607698f748d6c8f6024557fe2a9c4362ec2e/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp

ClusterFuzz has detected this issue as fixed in range 420502:420630.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4942847902220288

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::HTMLCanvasElement::toDataURLInternal
  blink::HTMLCanvasElement::toDataURL
  blink::HTMLCanvasElementV8Internal::toDataURLMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=418536:418563
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=420502:420630

Minimized Testcase (19.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kzwospTOsjegb5WursFDVLa9iDLTItBZ1pt3oeUz6KbXNlj3dtaehGQs6KWbXY1d3VUiL709F4tg4Vvg1QqWyv3s91B3FeoHqsUbzOXvjUlTnr3Qc4AtM1r5pJydnCuVEcSiAgBKWyekzjVUxYXAAYFZq2fQq_bi3OmFo6cbN_clIiVU?testcase_id=4942847902220288

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot