New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 670236 link

Starred by 1 user
Status: WontFix
Owner:
jochen@chromium.org
Closed: Dec 2016
Cc:
littledan@chromium.org
caitpott...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

result || flags & PartitionAllocReturnNull in PartitionAlloc.h

Project Member Reported by ClusterFuzz, Dec 1 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4719992169037824

Fuzzer: cdiehl_dharma
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Security CHECK failure
Crash Address: 
Crash State:
  result || flags & PartitionAllocReturnNull in PartitionAlloc.h
  blink::DOMTypedArray<>::createOrNull
  blink::ImageData::create
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=435209:435314

Minimized Testcase (0.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96yV9hxfY02dhNzFGisc_IdQsQB-JbabbNaOcKehZPVxadT8kNoWMfPBr4LaxxRgxvbN_P8P-Mk0wEjT75X7JgWSnG8ZQdTTO2KUSefl1Eu4I0uwHC-JXyoZ783AuBkUDxpRjvaA0OKz5VDm63X2NTGIivjhw?testcase_id=4719992169037824

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Dec 1 2016

Labels: M-57

Comment 2 by mummare...@chromium.org, Dec 1 2016

Cc: caitpott...@gmail.com littledan@chromium.org
Components: Blink>Media>Audio
Labels: Test-Predator-Wrong
Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)
Possible suspect through code search on file PartitionAlloc.h

https://chromium.googlesource.com/chromium/src/+/7757f92ee97b2668c3f412fa0ebdb62321d8bd0d

Comment 3 by jochen@chromium.org, Dec 7 2016 

I suspect this is WontFix?

Comment 4 by jochen@chromium.org, Dec 7 2016

Status: WontFix (was: Assigned)
I suspect we just don't have enough memory for the requested canvas, and then we crash (which is expected)
Project Member

Comment 5 by ClusterFuzz, Jan 13 2017 

ClusterFuzz has detected this issue as fixed in range 442831:443258.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4719992169037824

Fuzzer: cdiehl_dharma
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Security CHECK failure
Crash Address: 
Crash State:
  result || flags & PartitionAllocReturnNull in PartitionAlloc.h
  blink::DOMTypedArray<>::createOrNull
  blink::ImageData::create
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=435209:435314
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=442831:443258

Minimized Testcase (0.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96yV9hxfY02dhNzFGisc_IdQsQB-JbabbNaOcKehZPVxadT8kNoWMfPBr4LaxxRgxvbN_P8P-Mk0wEjT75X7JgWSnG8ZQdTTO2KUSefl1Eu4I0uwHC-JXyoZ783AuBkUDxpRjvaA0OKz5VDm63X2NTGIivjhw?testcase_id=4719992169037824

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment