New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 699371 link

Starred by 2 users
Status: Verified
Owner:
zakerinasab@chromium.org
Last visit > 30 days ago
Closed: Mar 2017
Cc:
junov@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ImageBitmap::ImageBitmap

Project Member Reported by ClusterFuzz, Mar 8 2017

Comment 1 by durga.behera@chromium.org, Mar 8 2017

Components: Blink>Canvas
Labels: Test-Predator-Wrong-CLs M-57
Owner: zakerinasab@chromium.org
Status: Assigned (was: Untriaged)
Find it results:
=================
he result is a list of CLs that change the crashed files. 

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d59a4441697f6253e7dc3f7ae5caad6e5fd2c778
Time: Mon Nov 14 22:52:49 2016
File ImageBitmap.cpp is changed in this cl (and is part of stack frame #1, "blink::ImageBitmap::ImageBitmap"; frame #2, "blink::ImageBitmap::create")
Minimum distance from crash line to modified line: 54. (file: ImageBitmap.cpp, crashed on: 661, modified: 607). 

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/48c029113eb4338243d99dbc76f85896be8f3a22
Time: Mon Nov 14 23:10:04 2016
Files HTMLCanvasElement.cpp, ImageBitmap.cpp are changed in this cl (and is part of stack frame #3, "blink::HTMLCanvasElement::createImageBitmap"; frame #4, "non-virtual thunk to blink::HTMLCanvasElement::createImageBitmap")
Minimum distance from crash line to modified line: 78. (file: HTMLCanvasElement.cpp, crashed on: 1344, modified: 1266).
==========================
Its impactinf current Stable (56.0.2924.87) & Beta (57.0.2987.88).

Based on code search on the file "ImageBitmap.cpp", suspecting the below.
Review-Url: https://codereview.chromium.org/2555213002
zakerinasab@: Could you please take a look into this if its related to your change.

Comment 2 by zakerinasab@chromium.org, Mar 8 2017 

I'm restructuring color management for ImageBitmap and ImageData in another CL. I'll try to fix this at the same time if it was not fixed automatically.

Comment 3 by zakerinasab@chromium.org, Mar 8 2017

Cc: junov@chromium.org
As I see the source of the problem is that ImageBitmap::isSourceSizeValid() does not put a constraint on the size of the image bitmap that can be created. Justin must have a better insight.
Project Member

Comment 4 by ClusterFuzz, Mar 9 2017 

ClusterFuzz has detected this issue as fixed in range 455091:455394.

Detailed report: https://clusterfuzz.com/testcase?key=4648560768581632

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ImageBitmap::ImageBitmap
  blink::ImageBitmap::create
  blink::HTMLCanvasElement::createImageBitmap
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=431896:432166
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=455091:455394

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95SgfTDTEpLo_x6Po-vsS8MW9HTDGP2l1xdps5N98GZzp2p9PuAdB4KiuaPJTDz-yw-u7FaRyZV_Goht_Zzxl3LeXJM00rsCmVP4mVa3ff1wgUfC3hQavK2oGzeh8xisBbMgeefZ9UsBtSma8q1_2YZv0tdkaEeTh1yDD5UjS6Hf047mWGWqj4-ds1oY6qyn0a9uPwIQgI_U8HMGqHfo21i8IWT08BnJ5yHE_DvjTXYmj9mYUd09hYl_WRuMRRdcVxxu008oE_z18DQNOgjxkfjd5ylgTvq9ijS349OEWbRVEBNTFWZQi03oSNohdQEZyN3Eq7CFiemxqHN3xiQvJQnL06WWddiF4jkFBrWcyf8KWiGLQs?testcase_id=4648560768581632


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4648560768581632 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment