Hello Heather,

Could you please help find an owner for this skia security bug?  The range given by clusterfuzz in skia doesn't include an obvious culprit CL.

hcm: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I cannot access the ClusterFuzz report, assuming Brian/Mike cannot as well... getting them on since it looks color code related.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/9953737bcf885a52c08ade6c503f2202e4dd9aa5

commit 9953737bcf885a52c08ade6c503f2202e4dd9aa5
Author: Florin Malita <fmalita@chromium.org>
Date: Wed Jan 04 18:01:55 2017

Avoid SkFixed overflow in decal bitmap procs

The check for decal mode can overflow in SkFixed.  Promote to
64bit (48.16) instead.

Also update can_truncate_to_fixed_for_decal() to take SkFixed params and
used it in ClampX_ClampY_filter_scale_SSE2().

BUG= chromium:675444 
R=reed@google.com

CQ_INCLUDE_TRYBOTS=skia.primary:Test-Ubuntu-GCC-GCE-CPU-AVX2-x86_64-Release-SKNX_NO_SIMD

Change-Id: I759464cdaa5c005159e38e32167fb1937e2a1d28
Reviewed-on: https://skia-review.googlesource.com/6538
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>

[modify] https://crrev.com/9953737bcf885a52c08ade6c503f2202e4dd9aa5/src/core/SkBitmapProcState_matrix.h
[modify] https://crrev.com/9953737bcf885a52c08ade6c503f2202e4dd9aa5/src/core/SkBitmapProcState_matrix_template.h
[modify] https://crrev.com/9953737bcf885a52c08ade6c503f2202e4dd9aa5/src/core/SkBitmapProcState_utils.h
[modify] https://crrev.com/9953737bcf885a52c08ade6c503f2202e4dd9aa5/src/opts/SkBitmapProcState_matrix_neon.h
[modify] https://crrev.com/9953737bcf885a52c08ade6c503f2202e4dd9aa5/src/opts/SkBitmapProcState_opts_SSE2.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f848b67b1486e0aba0ddcfea7e492062ba07064f

commit f848b67b1486e0aba0ddcfea7e492062ba07064f
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Jan 06 22:50:22 2017

Roll src/third_party/skia/ f55ea6a1d..83f532e9b (9 commits).

https://skia.googlesource.com/skia.git/+log/f55ea6a1deb2..83f532e9b5b8

$ git log f55ea6a1d..83f532e9b --date=short --no-merges --format='%ad %ae %s'
2017-01-06 mtklein Add a real SkXbyak bench, implement enough to run it.
2017-01-06 mtklein exclude src/opts/SkXbyak.cpp from g3 build
2017-01-06 kjlubick Add in Path fuzzer
2017-01-06 djsollen Add support for 64-bit devices when using gdb on Android
2017-01-06 bsalomon Purge clip masks when they are no longer findable.
2017-01-04 fmalita Avoid SkFixed overflow in decal bitmap procs
2017-01-06 bsalomon Remove arithmetic mode GrXP code.
2017-01-06 bsalomon Add support for tagging GrUniqueKeys with a debug string
2017-01-06 mtklein SkXbyak basics

BUG= 676459 , 675444 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=csmartdalton@google.com

Review-Url: https://codereview.chromium.org/2617043004
Cr-Commit-Position: refs/heads/master@{#442083}

[modify] https://crrev.com/f848b67b1486e0aba0ddcfea7e492062ba07064f/DEPS

ClusterFuzz has detected this issue as fixed in range 441984:442831.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5520203330093056

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x0002991c2d98
Crash State:
  S32_opaque_D32_filter_DX_SSSE3
  BitmapProcShaderContext::shadeSpan
  SkColorFilterShader::FilterShaderContext::shadeSpan
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=352857:352959
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=441984:442831

Minimized Testcase (0.48 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96QHgasyzL63noIUF6KCPNc22vnC_IReOP5A46jk56SBUi0TYkCwmWuTjvku9lY85VsCXL-rA7zEw8evRLVF5f69NPO3gnB1KBNMFsV0uI6WXiYfFQWp6Pu5lRBFstJM9FNQ1MwZ1JFYuyipUGj3MEwNaxhZw?testcase_id=5520203330093056
<script>
var x = {};
    x[648] = document.createElementNS('http://www.w3.org/1999/xhtml', 'canvas');
    x[855] = x[648].getContext('2d', { alpha: true });
    x[1610] = document.createElementNS('http://www.w3.org/1999/xhtml', 'canvas');
    x[2330] = x[1610].getContext('2d', { alpha: false });
    x[1610].width = 9171;
    x[855].shadowBlur = 512;
    x[855].shadowColor = "red";
    x[855].drawImage(x[1610], 0.4827066851972385, 8, 0.8359630000395614, 0.10588275643668202);
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot