Integer-overflow in SkAAClip::setRegion |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6274296327700480 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkAAClip::setRegion SkRasterClip::convertToAA SkRasterClip::op Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=455091:455389 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97YE8ZZ4wa_9rA8htlzScLP_TZqCnuD2vOJMg_U71JosI-5S6uLdmpIfuL2Ofj-kscf55wOxU3VSxqy8QKUxz3rcEnmPnrhNeVqz_jQMlKkBZmcgRHOOzWRl__3j4q-OecDR-n7ZQdbiyHUd7_jHZlY95EKWRnBG7f0K-4wKE9b01deUpPFHNkv6wRcd8LeyD4cK-uTL_8TyrJdk5XvPs0jN8uGBj6HjapUT56VzQdTDo1kGiX9jVfE-uWDfuC6G8an8Icma7GOJ7fvET-ZC1phv30d30w3shGvumzAIcyqJfwza6tu7wX04RnCQCYJ4xGMmE0XX3dBKzERSctp1SVWR2RRB8Sakl_6DwkASgo3W6F_b7s?testcase_id=6274296327700480 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 4 2017
Automatically assigning owner based on suspected regression changelist https://skia.googlesource.com/skia/+/a1361364e64138adda3dc5f71d50d7503838bb6d (Revert[6] "Remove SkDraw from device-draw methods, and enable device-centric clipping.""""""). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 4 2017
,
Oct 4 2017
The following revision refers to this bug: https://skia.googlesource.com/skia/+/e06739531b5067564c2ce90c35522c6590162e29 commit e06739531b5067564c2ce90c35522c6590162e29 Author: Mike Reed <reed@google.com> Date: Wed Oct 04 21:14:23 2017 Avoid overflow computing reserve for aaclip BUG= chromium:713764 Change-Id: I32c95157d5f2b21e9981a07092558a1f6294a463 Reviewed-on: https://skia-review.googlesource.com/55380 Reviewed-by: Ben Wagner <bungeman@google.com> Commit-Queue: Mike Reed <reed@google.com> [modify] https://crrev.com/e06739531b5067564c2ce90c35522c6590162e29/src/core/SkAAClip.cpp
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8edeef4dac8a2116bd8f5abf9b80af128e138f7c commit 8edeef4dac8a2116bd8f5abf9b80af128e138f7c Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org> Date: Thu Oct 05 01:16:46 2017 Roll src/third_party/skia/ 0078e9127..98156c459 (10 commits) https://skia.googlesource.com/skia.git/+log/0078e912718c..98156c4592d9 $ git log 0078e9127..98156c459 --date=short --no-merges --format='%ad %ae %s' 2017-10-04 mtklein refactor SkColorSpaceXform a bit 2017-10-04 csmartdalton Don't execute onFlush op lists until after GPU data is uploaded 2017-10-04 angle-deps-roller Roll skia/third_party/externals/angle2/ cb62d86fc..10d4026b3 (1 commit) 2017-10-03 bungeman Clean up SkString reference counting a bit. 2017-10-04 reed Avoid overflow computing reserve for aaclip 2017-10-04 angle-deps-roller Roll skia/third_party/externals/angle2/ baf5d9458..cb62d86fc (1 commit) 2017-10-04 egdaniel Revert "Revert "Update lockTextureProxy to return mipped proxys if mipping is requested."" 2017-10-04 brianosman Sever fOriginalPath connection whenever a GrShape becomes a simple type 2017-10-04 brianosman Fix path renderer cache test logic to account for other resources 2017-10-04 caryclark starting next gaggle of docs Created with: roll-dep src/third_party/skia BUG= 713764 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel TBR=scroggo@chromium.org Change-Id: I1c7ba3862483d32a694242e204a58c727094614f Reviewed-on: https://chromium-review.googlesource.com/701642 Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org> Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#506603} [modify] https://crrev.com/8edeef4dac8a2116bd8f5abf9b80af128e138f7c/DEPS
,
Oct 5 2017
ClusterFuzz has detected this issue as fixed in range 506555:506613. Detailed report: https://clusterfuzz.com/testcase?key=6274296327700480 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: SkAAClip::setRegion SkRasterClip::convertToAA SkRasterClip::op Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=455091:455389 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=506555:506613 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6274296327700480 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 5 2017
ClusterFuzz testcase 6274296327700480 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Apr 20 2017Labels: M-60 Test-Predator-Wrong-CLs