This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This code is not released yet, removing the release block labels.

Removing security labels as it can't affect users. (Leaving restrict view label for now).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1

commit bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1
Author: geofflang <geofflang@chromium.org>
Date: Wed Mar 22 20:51:28 2017

Make sure buffers are large enough to hold the Result structure.

The passthrough command decoder would correctly compute that it cannot
write any results to the buffer but would still write out of bounds when
trying to write the size member of the result when the buffer size is 0.

BUG= 703861 
BUG= 703724 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2764403002
Cr-Commit-Position: refs/heads/master@{#458868}

[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/build_gles2_cmd_buffer.py
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/common_decoder.cc
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/common_decoder.h
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers.cc
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers_autogen.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1

commit bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1
Author: geofflang <geofflang@chromium.org>
Date: Wed Mar 22 20:51:28 2017

Make sure buffers are large enough to hold the Result structure.

The passthrough command decoder would correctly compute that it cannot
write any results to the buffer but would still write out of bounds when
trying to write the size member of the result when the buffer size is 0.

BUG= 703861 
BUG= 703724 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2764403002
Cr-Commit-Position: refs/heads/master@{#458868}

[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/build_gles2_cmd_buffer.py
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/common_decoder.cc
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/common_decoder.h
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers.cc
[modify] https://crrev.com/bdd9f645d6e6bb56bfa31c74c88a8842fda5d9d1/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers_autogen.cc

ClusterFuzz has detected this issue as fixed in range 458856:458883.

Detailed report: https://clusterfuzz.com/testcase?key=5317377630928896

Fuzzer: afl_gpu_angle_passthrough_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x62900000e200
Crash State:
  SetNumResults
  gpu::gles2::GLES2DecoderPassthroughImpl::HandleGetTexParameterfv
  gpu::gles2::GLES2DecoderPassthroughImpl::DoCommands
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=458074:458115
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=458856:458883

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96BTWYGEDQc64NB9TkF0Ev3ntuDVDo7mQKaW0yDT7qbm6BhtvmDytIRiwBakQy3-tNvTZgtoB0gdTAlcmXhwNfURgzgo8y3OKlJz1MZ_1G36RvgPeE0_kPw9qdXa1Fr7cH00p1dscfGCQv91Z6l-o4Ses1StKIuZagZ9lbp6xiBrsfa7J7FwalM-KmvD49yelvfiGWn1P_0C5jem2SaXtKuoWiL1tx0oeg6kxLsxnAz0IChZDHv-mt-qn8VSiRa7CAyL7WnQ8d5QVE65gxLlaVRxy9YUuU8hqdTWTseoUWgLPrtNjJ_6b8ipc95wFciNgJO8Di0aKReGnT29f4OYvQI3RBtfXaxyl-GdZHot9-dxcUn8ZzYzmFTHN_p3s3MRRkqEpcTO7NxaGeN_86XlOAUWdYBag?testcase_id=5317377630928896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot