Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in parametric_r |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5650806180413440 Fuzzer: noel-image-surku Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: parametric_r color_lookup_table std::__1::__function::__func<sse41::compile_pipeline Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=433593:433755 Minimized Testcase (515.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mu1NGHWimeDRFDkb_7I-c6pKYpxXEg3BvzwSw42IqWs1AeGEi7l2Z-Kh8OZIc0YyrCUlR4zOX_PXObMP2_kSvTNn8CHT4vTxLN81wpiwxl7wZq_Xs4HSFiKfTSkNhaNmQ_5z3YVWgCmki5J6hJt2dS02w61qqCZGiJ_gTgzVpbazoKvg?testcase_id=5650806180413440 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 22 2016
,
Nov 22 2016
Hi, it looks like this issue might be related to crbug.com/667695 , but it's a use-of-initialized value rather than a heap buffer overflow. Can you take a look? Perhaps your change https://skia.googlesource.com/skia.git/+/8daef3ebdd71f0a33faa186511d81c951e3917ab fixes this too?
,
Nov 22 2016
I think my other change fixes it. There is no parametric gammas in that testcase profile, however there is still an empty table gamma which would cause pixels to be assigned based on an uninitialized value (like in the other fuzzer bug). Later on down the pipeline when the pixels are transformed back to the screen colour space, parametric_r then tries to access those pixels.
,
Nov 23 2016
,
Nov 23 2016
ClusterFuzz has detected this issue as fixed in range 433807:434033. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5650806180413440 Fuzzer: noel-image-surku Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: parametric_r color_lookup_table std::__1::__function::__func<sse41::compile_pipeline Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=433593:433755 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=433807:434033 Minimized Testcase (515.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mu1NGHWimeDRFDkb_7I-c6pKYpxXEg3BvzwSw42IqWs1AeGEi7l2Z-Kh8OZIc0YyrCUlR4zOX_PXObMP2_kSvTNn8CHT4vTxLN81wpiwxl7wZq_Xs4HSFiKfTSkNhaNmQ_5z3YVWgCmki5J6hJt2dS02w61qqCZGiJ_gTgzVpbazoKvg?testcase_id=5650806180413440 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 22 2016