New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676363 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

ImageBuffer::canCreateImageBuffer(size) in HTMLCanvasElement.cpp

Project Member Reported by ClusterFuzz, Dec 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6052845293142016

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ImageBuffer::canCreateImageBuffer(size) in HTMLCanvasElement.cpp
  blink::createTransparentImage
  blink::HTMLCanvasElement::getSourceImageForCanvas
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=417023:417040

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97UhP5I4pdsW3gx4P6v7g1op8Ze34rgC_3AL1_XNGyN0d1lVjwlIR4I7YwTbd9w7a7pZxB7u4rxENNwQoX_2XB1pds74Ll73yXb80jJabgoHfZyKNObzR-RReTW0whlv60KL0iL3IGPX8fXadQOqxwzNGeO4Q?testcase_id=6052845293142016
<script src="../resources/webgl-test-utils.js"></script>
<canvas id="canvas"" width="134217728"> <canvas id="canvas2d"</canvas>
<script>
var wtu = WebGLTestUtils;
var ctx2d = canvas2d.getContext("2d");
var gl = wtu.create3DContext(canvas);
if (!gl) {
} else {
    ctx2d.drawImage(canvas, 0,0, 40, 40);
}
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: msrchandra@chromium.org
Components: Blink>Canvas
Labels: Test-Predator-Wrong
Owner: junov@chromium.org
Status: Assigned (was: Untriaged)
From CL assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/980562f70d53ff313d4f5cd885c70248d3dd902a

@junov -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 13 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2b813ea24d38e192d2917413f027034deac3d6b6

commit 2b813ea24d38e192d2917413f027034deac3d6b6
Author: junov <junov@chromium.org>
Date: Fri Jan 13 18:57:29 2017

Fix DCHECK in  createTransparentSkImage

BUG= 676363 

Review-Url: https://codereview.chromium.org/2622283005
Cr-Commit-Position: refs/heads/master@{#443630}

[modify] https://crrev.com/2b813ea24d38e192d2917413f027034deac3d6b6/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp

Comment 3 by junov@chromium.org, Jan 13 2017

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Jan 14 2017

ClusterFuzz has detected this issue as fixed in range 443594:443650.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6052845293142016

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ImageBuffer::canCreateImageBuffer(size) in HTMLCanvasElement.cpp
  blink::createTransparentImage
  blink::HTMLCanvasElement::getSourceImageForCanvas
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=417023:417040
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443594:443650

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97UhP5I4pdsW3gx4P6v7g1op8Ze34rgC_3AL1_XNGyN0d1lVjwlIR4I7YwTbd9w7a7pZxB7u4rxENNwQoX_2XB1pds74Ll73yXb80jJabgoHfZyKNObzR-RReTW0whlv60KL0iL3IGPX8fXadQOqxwzNGeO4Q?testcase_id=6052845293142016
<script src="../resources/webgl-test-utils.js"></script>
<canvas id="canvas"" width="134217728"> <canvas id="canvas2d"</canvas>
<script>
var wtu = WebGLTestUtils;
var ctx2d = canvas2d.getContext("2d");
var gl = wtu.create3DContext(canvas);
if (!gl) {
} else {
    ctx2d.drawImage(canvas, 0,0, 40, 40);
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment