New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 668907 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in SkAlphaRuns::Break

Project Member Reported by ClusterFuzz, Nov 27 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6738595726753792

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 2
Crash Address: 0x61700000007e
Crash State:
  SkAlphaRuns::Break
  add
  RunBasedAdditiveBlitter::blitAntiH
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=434559:434567

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DqUotSj3TbMJJ7ny4rG9jzffiy1fOHc54zSNiVTeHLLsLoNeqkvSgWT387k_UYZvOAKOBmQomypKGu9Bdb88volnwTWjMDWBe7T7r_F5cCCBfSb2zAPEDow3AoLPSQeBnnJqc0Aenz3iseRep_mtzxwQ8Aw?testcase_id=6738595726753792

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Internals>Skia
Owner: mtklein@chromium.org
Status: Assigned (was: Untriaged)
Howdy, your CL (https://skia.googlesource.com/skia.git/+/9b8c036eda7ca8dde40e76dcd9378b3ddd629c8b) introduces the code which triggers this heap buffer overflow from ClusterFuzz. Please take a look ASAP, thanks!
Cc: mtklein@chromium.org
Owner: liyuqian@chromium.org
Probably an AAA-related crash?  blit_aaa_trapezoid_row is on the stack.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 28 2016

Labels: M-56
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 28 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 28 2016

Labels: Pri-1
Status: Started (was: Assigned)
Should fix in https://skia-review.googlesource.com/c/5266/
Project Member

Comment 7 by bugdroid1@chromium.org, Nov 28 2016

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef

commit dd13c020793b0a7fb2ac1f22024e9fb91ea483ef
Author: Yuqian Li <liyuqian@google.com>
Date: Mon Nov 28 15:31:58 2016

Add the missing shift to the dy

BUG= chromium:668907 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5266

Change-Id: I6d3e56ffc149fbeac6f7a2df740542abbf84dac8
Reviewed-on: https://skia-review.googlesource.com/5266
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Yuqian Li <liyuqian@google.com>

[modify] https://crrev.com/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef/tests/PathTest.cpp

Project Member

Comment 8 by bugdroid1@chromium.org, Nov 28 2016

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/44be067730b9bff2027b41691587a1b0454966a1

commit 44be067730b9bff2027b41691587a1b0454966a1
Author: Yuqian Li <liyuqian@google.com>
Date: Mon Nov 28 21:38:18 2016

Revert "Add the missing shift to the dy"

This reverts commit dd13c020793b0a7fb2ac1f22024e9fb91ea483ef.

Reason for revert: this breaks the Chromium DEPS roll as we break the layout_tests. I'll add a flag to guard the change in the future and enable the flag while change the layout_tests.

Original change's description:
> Add the missing shift to the dy
> 
> BUG= chromium:668907 
> 
> GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5266
> 
> Change-Id: I6d3e56ffc149fbeac6f7a2df740542abbf84dac8
> Reviewed-on: https://skia-review.googlesource.com/5266
> Reviewed-by: Cary Clark <caryclark@google.com>
> Commit-Queue: Yuqian Li <liyuqian@google.com>
> 

TBR=mtklein@chromium.org,caryclark@google.com,liyuqian@google.com,reed@google.com,reviews@skia.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ifd5aa50f155c3ebe2f1495cbf3b8dd706211a639
Reviewed-on: https://skia-review.googlesource.com/5286
Commit-Queue: Yuqian Li <liyuqian@google.com>
Reviewed-by: Yuqian Li <liyuqian@google.com>

[modify] https://crrev.com/44be067730b9bff2027b41691587a1b0454966a1/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/44be067730b9bff2027b41691587a1b0454966a1/tests/PathTest.cpp

Project Member

Comment 9 by bugdroid1@chromium.org, Nov 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b4ee4bffa0c144adfb16968ca3645bc624e938db

commit b4ee4bffa0c144adfb16968ca3645bc624e938db
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Tue Nov 29 04:21:16 2016

Roll src/third_party/skia/ d5de01364..99ab92b59 (22 commits).

https://skia.googlesource.com/skia.git/+log/d5de01364378..99ab92b5958a

$ git log d5de01364..99ab92b59 --date=short --no-merges --format='%ad %ae %s'
2016-11-28 raftias Moved A2B0 profile parsing before XYZ
2016-11-28 mtklein Consistent naming.
2016-11-28 reed use raster-pipeline in readPixels
2016-11-28 ethannicholas added support for layout(offset=...) to skslc
2016-11-28 benjaminwagner Merge changes from internal cl/140385880.
2016-11-28 mtklein simplify
2016-11-28 liyuqian Revert "Add the missing shift to the dy"
2016-11-28 mtklein Convert blitter over to new style from_srgb, to_srgb.
2016-11-28 lsalzman use __BYTE_ORDER__ macro to detect endianness when available
2016-11-28 brianosman Narrow the SkImageGenerator interface
2016-11-28 bsalomon Remove old driver bug workaround for glTexStorage.
2016-11-28 borenet Roll recipe DEPS
2016-11-28 ethannicholas unified ASTLayout/Layout and ASTModifiers/Modifiers
2016-11-28 ethannicholas removed textureProj() and legacy texture functions from sksl
2016-11-28 reed simplify SkConfig8888 logic: just fall-through if memcpy case isn't supported
2016-11-28 mtklein Split srgb out of accum stages.
2016-11-28 raftias Fuzzer fix for overflow in some Lut8 profiles.
2016-11-28 mtklein Fix unpremul stage.
2016-11-28 liyuqian Add the missing shift to the dy
2016-11-28 brianosman GrTextureProducer cleanup, phase two: Producer, Adjuster, Maker
2016-11-22 mtklein Guard against buggy ucrt\math.h.
2016-11-22 ethannicholas baked in a few more precision modifiers

BUG= 668784 , 668907 , 666707 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2532083003
Cr-Commit-Position: refs/heads/master@{#434889}

[modify] https://crrev.com/b4ee4bffa0c144adfb16968ca3645bc624e938db/DEPS

Project Member

Comment 10 by bugdroid1@chromium.org, Nov 29 2016

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640

commit 79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640
Author: Yuqian Li <liyuqian@google.com>
Date: Tue Nov 29 20:02:49 2016

Add the missing shift to the dy

This is identical to https://skia-review.googlesource.com/c/5266/ except for
the SK_ANALYTIC_AA_GUARD flag.

BUG= chromium:668907 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5302

Change-Id: I3fc225a925d21fe615c46a4a0be7fe33c5790766
Reviewed-on: https://skia-review.googlesource.com/5302
Commit-Queue: Yuqian Li <liyuqian@google.com>
Reviewed-by: Cary Clark <caryclark@google.com>

[modify] https://crrev.com/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640/tests/PathTest.cpp

Project Member

Comment 11 by bugdroid1@chromium.org, Nov 30 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f9491858d66bfa61bb5d4641ea8df6df9fdae5a0

commit f9491858d66bfa61bb5d4641ea8df6df9fdae5a0
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Wed Nov 30 08:57:33 2016

Roll src/third_party/skia/ 56b507925..84aa30d39 (24 commits).

https://skia.googlesource.com/skia.git/+log/56b50792531c..84aa30d39e7e

$ git log 56b507925..84aa30d39 --date=short --no-merges --format='%ad %ae %s'
2016-11-29 liyuqian Add additional guard to the Analytic AA change
2016-11-29 bsalomon Make pipeline getter a GrDrawBatch::pipeline() a protected method.
2016-11-29 msarett Fixes for SkColorLookUpTable::interp3D
2016-11-29 mtklein support a8
2016-11-20 fmalita Fuzzer assert in GradientShaderBase4fContext::TSampler
2016-11-29 bsalomon Remove caps image storage caps hack.
2016-11-29 bsalomon Rename SkSL::GLSLCapsFactory to SkSL::ShaderCapsFactory
2016-11-29 mtklein Make SkNWayCanvas use conservative clipping.
2016-11-29 brianosman In GetResourceAsBitmap, don't crash if the resource is missing
2016-11-29 liyuqian Add the missing shift to the dy
2016-11-29 bsalomon Rename vars and functions from 'glslcaps'->'shadercaps'
2016-11-29 mtklein teach MSAN about maskload
2016-11-29 bsalomon Merge GrGLSLCaps into GrShaderCaps
2016-11-28 msarett Delete unnecessary SkSurface_Base API
2016-11-28 msarett Remove duplicate storage of fCanvas in SkOverdrawCanvas
2016-11-29 mtklein gather_i8
2016-11-29 kjlubick Fix fuzzRange
2016-11-29 bsalomon Rm assert that image texture array is null unless GrCaps has images support.
2016-11-29 liyuqian Use AdditiveBlitter for partial rows
2016-11-28 jvanverth Add #define for Nsight compatibility
2016-11-29 jcgregorio Revert "Use /MD for Windows builds."
2016-11-29 liyuqian Compute slope using fSnappedY
2016-11-29 kjlubick Fix DrawFunctions fuzzer to initialize bitmaps
2016-11-28 bsalomon Fix documents for creating a GPU surface.

BUG= 668925 , 668907 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2534343002
Cr-Commit-Position: refs/heads/master@{#435183}

[modify] https://crrev.com/f9491858d66bfa61bb5d4641ea8df6df9fdae5a0/DEPS

Project Member

Comment 12 by bugdroid1@chromium.org, Dec 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0622c15226e2c82d2ed5897167837bcb3130c3c

commit b0622c15226e2c82d2ed5897167837bcb3130c3c
Author: liyuqian <liyuqian@google.com>
Date: Thu Dec 01 15:23:02 2016

Enable Analytic AA Fix

BUG= chromium:668907 

Review-Url: https://codereview.chromium.org/2538943002
Cr-Commit-Position: refs/heads/master@{#435609}

[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/skia/config/SkUserConfig.h
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/compositing/rounded-corners-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-circle-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-circle-overflow-hidden-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-restore-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-color-image-border-radius-bleed-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-leakage-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-multi-image-border-radius-bleed-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/gradient-background-leakage-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/repeat/noRepeatCorrectClip-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-background-constrained-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-different-width-001-double-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-different-width-001-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-03-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-valid-border-clipping-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-wide-border-02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-wide-border-04-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-with-box-shadow-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-shadow-large-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusArcs01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDashed06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDotted06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble03-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble08-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusGroove01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusGroove02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusInset01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusOutset01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusRidge01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusSlope-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/fieldsetBorderRadius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/mixed-border-styles-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/mixed-border-styles-radius2-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/box-shadow-clipped-slices-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/box-shadow-with-zero-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/inset-box-shadows-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/shadow-tiling-artifact-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/spread-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/spread-multiple-normal-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-arc-circumference-fill-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-transformclip-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-ellipse-circumference-fill-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/css/background-clip-radius-values-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/css/box-shadow-and-border-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/dynamic/first-letter-after-list-marker-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/fill-opacity-update-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/invalidate-on-child-layout-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/mask-clip-target-transform-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/resource-invalidate-on-target-update-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/animation/computed-style-during-delay-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/backing/no-backing-foreground-layer-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/contents-opaque/layer-transform-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/contents-opaque/visibility-hidden-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/draws-content/canvas-background-layer-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/layer-creation/fixed-position-out-of-view-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/reflections/empty-reflection-with-mask-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/transitions/opacity-on-inline-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css1/units/rounding-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/device-adapt/viewport-insert-rule-after-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/device-adapt/viewport-insert-rule-before-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/filters/crash-hw-sw-switch-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/masking/clip-path-reference-of-fake-clipPath-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/editability/empty-document-justify-right-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/inserting/5685601-2-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/pasteboard/pasting-empty-html-falls-back-to-text-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/selection/5794920-1-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/shadow/delete-characters-in-distributed-node-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/undo/orphaned-selection-crash-bug32823-3-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/animation/request-animation-frame-callback-id-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/autoresize/turn-off-autoresize-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/block/line-layout/inline-box-wrapper-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/block/line-layout/line-break-obj-removal-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/borders/negative-border-width-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/constructors/blob-sparse-array-assertion-failure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/constructors/constructor-as-function-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/dom/Window/window-scaled-viewport-properties-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/dom/element-bounding-client-rect-relative-to-viewport-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/adjacent-html-context-element-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/article-element-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/body-offset-properties-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/crash-style-first-letter-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/details-element-render-inline-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/empty-fragment-id-goto-top-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/font-face-empty-should-not-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/process-end-tag-for-inbody-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/tabindex-removal-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/xhtml-serialize-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/anonymous-block-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/inline-block-vertical-align-2-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/relative-positioned-rtl-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/fixed-pos-moves-with-abspos-parent-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/inline-body-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/inline-body-with-scrollbar-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/skipped-whitespace-boundingBox-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/skipped-whitespace-client-rect-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/005-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-case-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-iframe-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-nbsp-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-script-tag-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/javascript-url-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/add-to-primitive-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/direct-entry-to-function-code-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/do-while-expression-value-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/do-while-without-semicolon-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-equal-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-eval-inside-closure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-function-with-lazy-activation-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/B.1.1-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/regress-532041-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/regress-532254-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/strict-this-is-not-truthy-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/this-for-function-expression-recursion-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/unbrand-this-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/trivial-functions-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/var-declarations-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/vardecl-preserve-parameters-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/while-expression-value-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/media/matchmedium-query-api-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/replaced/computed-image-width-with-percent-height-inside-table-cell-and-fixed-ancestor-vertical-lr-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/replaced/image-map-2-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/ruby/before-block-doesnt-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/writing-mode/percentage-padding-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/http/tests/download/inherited-encoding-form-submission-result-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/http/tests/security/no-javascript-refresh-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/link-body-content-imageDimensionChanged-crash-expected.txt
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/paletted-png-with-color-profile-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/paletted-png-with-color-profile-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/percent-height-image-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/png-extra-row-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/script-counter-imageDimensionChanged-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/size-failure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/style-access-during-imageChanged-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/text-content-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/printing/css2.1/page-break-before-001-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/animations/animate-update-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/carto.net/frameless-svg-parse-error-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/in-html/svg-assert-failure-percentage-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/stroke/zero-width-hang-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/transforms/3d/hit-testing/rotated-hit-test-with-child-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/virtual/media-gpu-accelerated/media/video-autoplay-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/virtual/media-gpu-accelerated/media/video-autoplay-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-22khz-resample-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-22khz-resample-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-44khz-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webau
Project Member

Comment 13 by bugdroid1@chromium.org, Dec 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25e7d9294677e6ebfc4add4d3a665d4cafa52e5c

commit 25e7d9294677e6ebfc4add4d3a665d4cafa52e5c
Author: jbroman <jbroman@chromium.org>
Date: Thu Dec 01 16:33:36 2016

Remove failing expectation for http/tests/preload/dynamic_remove_preload_href.html.

Seems to have been erroneously added as part of "Enable Analytic AA Fix":
https://codereview.chromium.org/2538943002

BUG= 668907 
TBR=liyuqian@google.com,fmalita@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2534313005
Cr-Commit-Position: refs/heads/master@{#435624}

[delete] https://crrev.com/a3baa5f8c33d60a57fc98d211da1d168c093ae52/third_party/WebKit/LayoutTests/platform/linux/http/tests/preload/dynamic_remove_preload_href-expected.txt

Project Member

Comment 14 by ClusterFuzz, Dec 2 2016

ClusterFuzz has detected this issue as fixed in range 435598:435621.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6738595726753792

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 2
Crash Address: 0x61700000007e
Crash State:
  SkAlphaRuns::Break
  add
  RunBasedAdditiveBlitter::blitAntiH
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=434559:434567
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=435598:435621

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DqUotSj3TbMJJ7ny4rG9jzffiy1fOHc54zSNiVTeHLLsLoNeqkvSgWT387k_UYZvOAKOBmQomypKGu9Bdb88volnwTWjMDWBe7T7r_F5cCCBfSb2zAPEDow3AoLPSQeBnnJqc0Aenz3iseRep_mtzxwQ8Aw?testcase_id=6738595726753792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Dec 2 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 16 by sheriffbot@chromium.org, Dec 2 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta -M-56 M-57

Comment 18 by mkwst@chromium.org, Feb 17 2017

tom@mozilla.com has asked to be CC'd on this bug in the hopes of pulling in the right patches to Mozilla. WDYT?
Project Member

Comment 19 by sheriffbot@chromium.org, Mar 10 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment