This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

geofflang: Can you help triage? I believe this turned up as a result of the fuzzer you modified.

Thanks, I'm the correct person to assign bugs with the libfuzzer_gpu_angle_passthrough_fuzzer.

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/d90d388cdbab8ff274393580c597a9e16808bfe3

commit d90d388cdbab8ff274393580c597a9e16808bfe3
Author: Geoff Lang <geofflang@chromium.org>
Date: Tue Mar 21 19:16:47 2017

Make sure the default framebuffer has enough draw buffer states.

Querying the draw buffer states of the default framebuffer would lead to
crashes because it only had one state.  The spec says that all non-zero
attachments default to GL_NONE and makes no mention of special cased
errors for querying the default framebuffer.

Also fix the validation to check for extensions and ES version when
querying draw buffer state.

BUG= 703508 

Change-Id: I7db5443141c65a3f9c638f07ba90f78d76e4e7b4
Reviewed-on: https://chromium-review.googlesource.com/457524
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/Framebuffer.cpp
[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/ContextState.cpp
[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/renderer/d3d/d3d11/Clear11.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/d90d388cdbab8ff274393580c597a9e16808bfe3

commit d90d388cdbab8ff274393580c597a9e16808bfe3
Author: Geoff Lang <geofflang@chromium.org>
Date: Tue Mar 21 19:16:47 2017

Make sure the default framebuffer has enough draw buffer states.

Querying the draw buffer states of the default framebuffer would lead to
crashes because it only had one state.  The spec says that all non-zero
attachments default to GL_NONE and makes no mention of special cased
errors for querying the default framebuffer.

Also fix the validation to check for extensions and ES version when
querying draw buffer state.

BUG= 703508 

Change-Id: I7db5443141c65a3f9c638f07ba90f78d76e4e7b4
Reviewed-on: https://chromium-review.googlesource.com/457524
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/Framebuffer.cpp
[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/ContextState.cpp
[modify] https://crrev.com/d90d388cdbab8ff274393580c597a9e16808bfe3/src/libANGLE/renderer/d3d/d3d11/Clear11.cpp

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75c2d0bf77682c000f238a2c67158def96bcaedc

commit 75c2d0bf77682c000f238a2c67158def96bcaedc
Author: geofflang <geofflang@chromium.org>
Date: Wed Mar 22 16:46:39 2017

Roll ANGLE 16d4e47..d0fcb90

https://chromium.googlesource.com/angle/angle.git/+log/16d4e47..d0fcb90

BUG= 703508 

TBR=jmadill@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2759423005
Cr-Commit-Position: refs/heads/master@{#458778}

[modify] https://crrev.com/75c2d0bf77682c000f238a2c67158def96bcaedc/DEPS

ClusterFuzz has detected this issue as fixed in range 458751:458783.

Detailed report: https://clusterfuzz.com/testcase?key=4684058933329920

Fuzzer: libfuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x6030000019dc
Crash State:
  gl::Framebuffer::getDrawBufferState
  gl::State::getIntegerv
  gl::GetIntegervRobustANGLE
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=458075:458147
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=458751:458783

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94VOmKgNajmlMGopsHwyUzSspmt23fNWOWA2zySr1sf2u4QAsrRLD-R9XGUuIkEV_RdFOzsutrNA4lwG3eUMoO3oE2cLTudmt9jQBlAwZZjHt5hl_AN-m9qVcirCTvs7D9gNpWkTOKtYk2KTBctgyyK-seSRrsIP5TzZ4Wa5llws90M0fByaevGSYP2KfM4oTDz4ptMF3f9Cel_fUZVneCnEoJf4PbfwYlaTmGdQQCmL50YXyt4QTBw36txOidcy9QXqJs_SrwJQBvftdozC-sIAWmft-TTHeZ2oCxyIVI7Bv9yubQwFrwmxCm33pQWHwMbZy5HnM_XtPJ7y1JeBVOJ0PaqAefxCa7mvq9uOgUInuiwSZLjOPls8pyrpnCiLjNGimIII51jUdURGMgqR9rDOOVwRg?testcase_id=4684058933329920


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4684058933329920 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot