Crash in SkPixelInfo::CopyPixels |
||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4742495444664320 Fuzzer: noel-image-flip Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x7fb341438000 Crash State: SkPixelInfo::CopyPixels SkPixmap::readPixels SkPixmap::scalePixels Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=431896:432151 Minimized Testcase (29.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947BFUGLhVNA_AtVYoaWjREkXNBJi2wlAnzeK5OvFKb2woZXBP0Luo_A-iv1phFkpvAohKhCQ-6oabl8c5xVP9Bx-OFLhz3T9lyRPOziOZQvaHE_YZoZqygysdO9RUql5gy6rAZG7O2y298_gLX_Qy3pHXAR20HC5T-_c0qWgIZgGbqvq262Tk19bIygZ50Wo1TkJHOIXHPct5M5ZhQX5CSK0dqJSWKdpiG4gnLT_8ON9f0ddGstd8LlwguD0loQXAyChp-r8AHkw7vSvVnp4IvAEO418q_oPg_TKzxifO9WwtGpehrc3_tET_WBZ-2QCtleYlBqTsG_jH3UgJF8NWUs6XLjFhllY-2tQQa-EJxCHPcPyo?testcase_id=4742495444664320 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
,
Jan 18 2017
,
Jan 18 2017
A Skia bug is likely to be cross-platform; setting flags.
,
Jan 19 2017
,
Jan 19 2017
,
Jan 19 2017
How do I repro this locally? I don't see noel-image-flip mentioned on this help page https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/HEAD/reproducing.md
,
Jan 19 2017
You just run the testcase with chrome (built with chromeos=1), see command line in report. this is not a libfuzzer testcase.
,
Jan 19 2017
This test is asking chrome to allocate (at least) 2 buffers, each 1-gig (webp image claims to be 1048876 x 250 at 4-bytes-per-pixel). Given that on each crash, the address is nicely on a page-boundary, I expect this is a case of malloc over committing.
,
Jan 19 2017
,
Jan 19 2017
+awhalley@ for consult. We're going to ship to stable / stable candidates in < 1 week, and this is a medium severity issue. Can we remove the RB-Stable tag please to avoid blocking the release? If we get a patch in time, or desperately want to pull this into a refresh, we can discuss that, but I'm worried more about risk from introducing a last minute change than a medium severity issue detected internally (though please let me know if you disagree).
,
Jan 20 2017
,
Jan 20 2017
I don't seem to be able to access https://cluster-fuzz.appspot.com/testcase?key=4742495444664320 with either herb@google.com or herb@chromium.org.
,
Jan 20 2017
,
Jan 20 2017
I'm OK to push this to 57. mbarbella@ would you mind checking herb@'s access to the clusterfuzz issue?
,
Jan 20 2017
I already marked herb@google.com as owner, now he should be able to access.
,
Jan 20 2017
I suspect this is another OOM issue (similar to bug 633475 and bug 598724 ). ASan always outputs SEGV for these even though the real signal is SIGBUS.
,
Jan 23 2017
As per #9, I think this is an OOM issue. Closing. Reopen if this has a frequency > 1.
,
Jan 23 2017
,
May 2 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 18 2017