Out-of-memory in gfx_png_image_fuzzer |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4675721655222272 Fuzzer: libfuzzer_gfx_png_image_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: gfx_png_image_fuzzer Sanitizer: address (ASAN) Minimized Testcase (0.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97gltsJ6Zc67aal6sKe6RE3WDW0kGiK2CXY9-e9NnEQPxSKArok6HyukGWSAqsqPLRaG3_7gTJ5OM-h8RZUUjElVMonJzQrbZbqC8QH5i-1_pyCOl5lozh1E4gYUZDcQfUX1MdXkxrX4fxo1UIE_zF1CqevGWDUtdNgd3l6MKpURvvUkNfoN2Rpq1bPrJDXQ9z9bFlA84mjgrL6vbebXeim8-IFofOPOBcxyQdZRqpg96G2HOhMFFHvMEgzZQumBPXG_3JpuphhMGNjsJzeBxDCU39EJUtzqPwVPQnn-eEpeBie-mrTbQ00ce_HxFDKrDkalbdYlM6QSrgwgW_hZjvH2W6th1H-ciPXDcDqDWrM8p69kxw?testcase_id=4675721655222272 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jan 18 2017
This is different from issue 657465 . This one seems to be a valid OOM. rsesek@, as an owner for gfx/image (https://cs.chromium.org/chromium/src/ui/gfx/image/OWNERS?cl=GROK), could you please help to find an owner?
,
Jan 18 2017
Thank you for reassigning.
,
Jan 26 2017
Passing this to the OWNER of the underlying PNG codec, since the fuzzer is really testing that code and not gfx::Image.
,
Jan 26 2017
This crash is inside libpng. Passing to one of the third_party/libpng owners.
#0 0x00000000004d2a84 in __sanitizer_print_stack_trace ()
at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:135
#1 0x0000000000510302 in fuzzer::Fuzzer::HandleMalloc(unsigned long) ()
at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:169
#2 0x0000000000510177 in MallocHook ()
at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:143
#3 0x00000000004d83be in __sanitizer::RunMallocHooks(void const*, unsigned long) () at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:135
#4 0x00000000004262f3 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ()
at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:135
#5 0x00000000004cad41 in malloc ()
at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:135
#6 0x00000000005e9d7d in png_read_buffer ()
at ../../third_party/libpng/pngrutil.c:310
#7 cr_png_handle_iCCP () at ../../third_party/libpng/pngrutil.c:1462
#8 0x00000000005bd93f in cr_png_push_read_chunk ()
at ../../third_party/libpng/pngpread.c:309
#9 0x00000000005bad10 in cr_png_process_some_data ()
at ../../third_party/libpng/pngpread.c:109
#10 cr_png_process_data () at ../../third_party/libpng/pngpread.c:46
#11 0x000000000077eb6a in Decode () at ../../ui/gfx/codec/png_codec.cc:447
#12 0x00000000007740eb in ToImageSkiaRep ()
at ../../ui/gfx/image/image.cc:114
#13 0x000000000076f54d in AddPNGData () at ../../ui/gfx/image/image.cc:101
#14 0x000000000076f08c in ImageSkiaFromPNG ()
at ../../ui/gfx/image/image.cc:143
#15 0x000000000077253b in ToImageSkia () at ../../ui/gfx/image/image.cc:494
#16 0x0000000000771c81 in ToSkBitmap () at ../../ui/gfx/image/image.cc:482
#17 0x00000000004f8114 in LLVMFuzzerTestOneInput ()
at ../../testing/libfuzzer/fuzzers/gfx_png_image_fuzzer.cc:29
,
Feb 9 2017
The attached image tells libpng to allocate 2048 MB for a particular chunk. It's unfortunate that libpng tries to do this... but it will fail appropriately if the allocation fails. This doesn't seem like a bug to me.
,
Mar 16 2017
,
Mar 20 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Jan 18 2017Owner: mmoroz@chromium.org
Status: Assigned (was: Untriaged)