Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in SkColorSpaceXform_XYZ< |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4618590008639488 Fuzzer: noel-image-surku Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x61200009c174 Crash State: SkColorSpaceXform_XYZ< blink::PNGImageDecoder::rowAvailable cr_png_push_process_row Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=456626:457730 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hpKT0V6fvhAynLU9mtrBzIW1GtF6Is8DNrw6Lcvr5hlf7OCJ0EWlH0K-_ovlxwo096Z3tV4XzeUS7Rg9-Wp3xMk1W34gv7_HVPL9oPsIylXBM8vhUjKZO1F4bHGc1MlLQylE-Plu0yRTERBh25ADGvoBTQZZKq4wEqgWHtYMmERPjsP5G-TLDCdWz9hD5ThMoH6xdcU2h43DklJUivgmkrc7P_-YSx4pZej6EY9jEXyLFInfddQ80_Zi4_daeOjHiBGb3vtchjxb1-ioDQ_y54gm1r0JyNE-_1P4LbC0soj3pJtXrMXM21KezJv24223r9nzJnO-mv5Gja85xKIpFoH4Os6LkBnz1-P9a_kQoS7Vdp6g?testcase_id=4618590008639488 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 17 2017
Issue 702633 has been merged into this issue.
,
Mar 17 2017
Cary, would you mind taking a look or finding a more appropriate owner?
,
Mar 17 2017
,
Mar 18 2017
,
Mar 18 2017
,
Mar 18 2017
,
Mar 21 2017
Matt, is this in your code?
,
Mar 21 2017
Yes, the overflow is in my code. I suspect this change: https://codereview.chromium.org/2618633004 It's in the blame range and the images from the test case seem to be animated pngs (Cool!). Reassigning to Leon. tsepez@ why is this labeled M58? I think animated png is for M59?
,
Mar 21 2017
I am unable to see the detailed report as either scroggo@chromium.org or scroggo@google.com. Can someone please give me permission?
,
Mar 21 2017
Though I am unable to see the report, it looks like this may be related to issue 703397 . If that is the case, the fix is at https://codereview.chromium.org/2761193003
,
Mar 21 2017
Okay, I'm able to see the report now. This is a dupe.
,
Mar 23 2017
ClusterFuzz has detected this issue as fixed in range 458620:458734. Detailed report: https://clusterfuzz.com/testcase?key=4618590008639488 Fuzzer: noel-image-surku Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x61200009c174 Crash State: SkColorSpaceXform_XYZ< blink::PNGImageDecoder::rowAvailable cr_png_push_process_row Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=456626:457730 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458620:458734 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hpKT0V6fvhAynLU9mtrBzIW1GtF6Is8DNrw6Lcvr5hlf7OCJ0EWlH0K-_ovlxwo096Z3tV4XzeUS7Rg9-Wp3xMk1W34gv7_HVPL9oPsIylXBM8vhUjKZO1F4bHGc1MlLQylE-Plu0yRTERBh25ADGvoBTQZZKq4wEqgWHtYMmERPjsP5G-TLDCdWz9hD5ThMoH6xdcU2h43DklJUivgmkrc7P_-YSx4pZej6EY9jEXyLFInfddQ80_Zi4_daeOjHiBGb3vtchjxb1-ioDQ_y54gm1r0JyNE-_1P4LbC0soj3pJtXrMXM21KezJv24223r9nzJnO-mv5Gja85xKIpFoH4Os6LkBnz1-P9a_kQoS7Vdp6g?testcase_id=4618590008639488 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 7 2017
,
Jun 29 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 17 2017