Not a lot in the blame list for this one. Only one skia revision in there and I didn't see much obvious.

+hcm, +mtklein, do you mind triaging this one?

+Matt

Looks like we're doing one of the fancier color space transforms.  If I'm reading the detailed crash right, it looks like we're missing a clamp_0/clamp_1 after the matrix_3x4, and then we're reading something like table[-3]?

This one is probably not a regression... that code path hasn't changed much since the fall.  I think it's a new fuzzer.

Nah, gotta be something else.  There are unconditional clamps after matrix_3x4, and while you can't see them on the stack, you can see their (outlined o_0) calls to next.

Some interplay between the data in the table_{r,g,b} and the color LUT logic?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

No, it's a new fuzzer.

If this code is live in chrome right now, I'd like to bump the priority back up. Even if it's a new fuzzer it might have found an old vulnerability. Do you have any more thoughts regarding the security triage here?

ClusterFuzz testcase 5618607125168128 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 463175:463182.

Detailed report: https://clusterfuzz.com/testcase?key=4952445282418688

Fuzzer: libfuzzer_skia_color_space_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x607000000ff4
Crash State:
  SkColorLookUpTable::interp3D
  SkColorLookUpTable::interp
  color_lookup_table_kernel
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=463171:463175
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=463175:463182

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96HYzHir66QmgEEYimppmUOWZ5OsgHs7oA287jFuAu1Wei6IzKqUSAVH7cYve1ANhvSmH-QJ0oTHqafF1fgf9-rJk6PZ-TzvYi8hYgfLLxjh4QU6Evqg73OhzvAbV-o2aKIq3oOION42PRKJmsfLq7405aSqVVoYZKdxpBs-zXUZnF7ITAqzNJsGrJznZ54r0qOh45bNLMIACz3sVo2LOXEE8clbRfBNGMAD8h51Sh88rPo6R0ZrQYw9bk8aus307pTt8bf79EPXkZWLbaFQ2yvSgvfIttzrRF1exEmHc88WYvAs_NNG5oB1C1sq4gFLq7G9b-lFRah8m3S9ybO140sRrA-jGa_smjVjLINJTVSDzf-U5g?testcase_id=4952445282418688


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Yes, it's definitely a new fuzzer finding an old vulnerability.

Not sure why, clusterfuzz thinks this is fixed.  I'm taking a look now.

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/3fbca26e9c0e6e3c27c9dd437c9f790a31f20675

commit 3fbca26e9c0e6e3c27c9dd437c9f790a31f20675
Author: Matt Sarett <msarett@google.com>
Date: Tue Apr 11 14:03:48 2017

Make sure NaNs clamp to 0 in color look up tables

This operation assumes 0-1 input and guarantees 0-1 output.
The old clamp was poorly written, causing the possibility
for NaNs to not be set to 0.

BUG= 709941 
Change-Id: I691f0494a562a329967f5b0149a1ba04cbeb8464
Reviewed-on: https://skia-review.googlesource.com/13134
Commit-Queue: Matt Sarett <msarett@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>

[modify] https://crrev.com/3fbca26e9c0e6e3c27c9dd437c9f790a31f20675/src/core/SkColorLookUpTable.cpp
[modify] https://crrev.com/3fbca26e9c0e6e3c27c9dd437c9f790a31f20675/src/core/SkColorSpaceXformPriv.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb5af30ea5537cc1f02265dcec0981c1bf10a8d2

commit fb5af30ea5537cc1f02265dcec0981c1bf10a8d2
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Tue Apr 11 17:17:55 2017

Roll src/third_party/skia/ 31f99ce7d..da90109a9 (9 commits)

https://skia.googlesource.com/skia.git/+log/31f99ce7d2f3..da90109a9109

$ git log 31f99ce7d..da90109a9 --date=short --no-merges --format='%ad %ae %s'
2017-04-11 mtklein Make SkLiteDL::draw() const.
2017-04-11 mtklein make SkRecord normally SkRefCnt'd
2017-04-11 mtklein Revert "remove unused SkBitmap::copyPixelsTo"
2017-04-11 scroggo Correct GIF frame dependencies and track alpha
2017-04-10 reed remove unused SkBitmap::copyPixelsTo
2017-04-10 mtklein remove SkNx AVX code
2017-04-11 kjlubick Fix symbolization of ASAN crashes
2017-04-11 msarett Allow BF and BRD clients to request an output color space
2017-04-11 msarett Make sure NaNs clamp to 0 in color look up tables

Created with:
  roll-dep src/third_party/skia
BUG= 709941 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=mtklein@chromium.org

Change-Id: I74c941b09909ce9c31579f8a63cb78eda756a565
Reviewed-on: https://chromium-review.googlesource.com/474235
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#463665}
[modify] https://crrev.com/fb5af30ea5537cc1f02265dcec0981c1bf10a8d2/DEPS

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot