Guessing https://chromium.googlesource.com/chromium/src/+/2ad2a9bf7205ec77843cf27a7964fda92df386b2 based on regression range.

This looks like SkConic / SkPathMeasure not dealing with "large" numbers. Some large enough number can cause overflow to occur in the length calculation, which in turn yields both Infs and NaNs in different stages. (This triggers asserts before reaching the exact position above, but it seems this would easily follow as a consequence.) I've attached a boiled down TC in the form of a patch against Skia.

The relationship with my CL is that it - in this particular case - would now include the scale transforms in the transform used to compute the non-scaling-stroke (which in turn yields "large value" geometry.)

Deleted: 0001-Test-for-crbug.com-702920.patch 1.3 KB

0001-Test-for-crbug.com-702920.patch 1.3 KB Download

ClusterFuzz has detected this issue as fixed in range 464942:464964.

Detailed report: https://clusterfuzz.com/testcase?key=6749034019815424

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkConic::evalAt
  compute_pos_tan
  SkPathMeasure::getSegment
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=451926:451942
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=464942:464964

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96jv2EEOWedvfy5qXRnTK7JJMLHpEeMlQH0alZUvBgt72iOsbQ12lWB5Fku7jUuCLKspdXleLkK4mBUsmEFV128n1m59iYCrPFGW-g_wt0xFZ5SCI65Yr8utk745UzI1Nd3HmwNvNDBeMQZEdqNwBNZPI-04Lr588ziEXYdZRQhppxZzWNOH-Unf6Z3GINvHrDWtFcrMNqNAxLvv0_UG84dNoWFHcO0X0TxR4uVpDreujHh0pzghBOt5LboCZ43zgjFdPPpivwZuUlnVpkUne5A1XsCJ1TAa9rb0et5nw60dC6tiFeSM2Iu1GmnqT0mHIZrrv1ajY_BTjCH0FAeo-L_nyHui2fzCK9Pak5VBeputyhnWC0duZuA6s_PU5xywq5Sv0ODUMm0d8BSut_95NVZ5wY9hA?testcase_id=6749034019815424


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6749034019815424 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot