This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

bsalomon, would you mind taking a look at this, or help with finding a better owner? 

I believe this is a Blink bug. I added this code:

"""
  auto size = this->getOffscreenCanvas()->size();
  CheckedNumeric<int> dataSize = 4;
  dataSize *= size.width();
  dataSize *= size.height();
  LOG(ERROR) << "OSW " << size.width() << " OSH " << size.height() << " OSS " << dataSize.ValueOrDie() << "\n";
  LOG(ERROR) << "DBW " << this->drawingBufferWidth() << " DBH " << this->drawingBufferHeight() << "\n";
"""

inside the "if (snapshot) {" that begins here:

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp?q=third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp&sq=package:chromium&l=754

The output I get is:

[41068:41068:1129/165501:1139370145285:ERROR:WebGLRenderingContextBase.cpp(759)] OSW 0 OSH 1073741824 OSS 0

[41068:41068:1129/165501:1139370146247:ERROR:WebGLRenderingContextBase.cpp(760)] DBW 1 DBH 16384


Looking at the code there I believe we allocate a zero height ImageData (0 x 1073741824) but then describe it with an SkImageInfo that is 1 x 16384.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

In comment #5, I should have said "zero width" not "zero height".

Downgrading severity and removing the release blocker flag since this crash is in an unshipped API. The OffscreenCanvas interface is only accessible when starting Chrome with --enable-experimental-canvas-features, so there is no immediate risk to users at large. Setting milestone to M-58 Since that is when we intend to ship.

Awesome that the fuzzer caught this before shipping. \o/

Block shipping OffscreenCanvas until this is fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1307b3fee54e09311014071340c0822752aee55c

commit 1307b3fee54e09311014071340c0822752aee55c
Author: junov <junov@chromium.org>
Date: Thu Dec 01 21:55:40 2016

Fix crash when calling convertToBlob on an OffscreenCanvas with no pixels

BUG= 669392 

Review-Url: https://codereview.chromium.org/2539333003
Cr-Commit-Position: refs/heads/master@{#435729}

[add] https://crrev.com/1307b3fee54e09311014071340c0822752aee55c/third_party/WebKit/LayoutTests/fast/canvas/OffscreenCanvas-zero-size-readback.html
[modify] https://crrev.com/1307b3fee54e09311014071340c0822752aee55c/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.cpp

ClusterFuzz has detected this issue as fixed in range 435703:435745.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4565157322948608

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x6020003e4dd1
Crash State:
  gpu::gles2::GLES2Implementation::ReadPixels
  std::__1::__function::__func<std::__1::function<void
  GrGpu::readPixels
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=427006:427199
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=435703:435745

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96QSnNBWjTmgMPyd3LBMxJiQETR9mV5Q6dJKwGKC_iIIHB4hSDa5v-xmdhsCNFYHvjwcBDd0hdWZ0_hyaRlCaa6Rf-zMfNqicsoYqWizFHcVrb0REOhQ_88U4UP8NiX4xbRoNB_xoswELrgx5pxp2-og7OHlw?testcase_id=4565157322948608
<script id="myWorker">
  var __v_0 = new OffscreenCanvas(0, 1073741824);
  var __v_1 = __v_0.getContext('webgl');
  __v_0.convertToBlob()
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot