Issue metadata
Sign in to add a comment
|
Crash in gpu::gles2::GLES2DecoderImpl::DoDrawElements |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4551537438490624 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x1f6617b6c000 Crash State: gpu::gles2::GLES2DecoderImpl::DoDrawElements gpu::gles2::GLES2DecoderImpl::HandleDrawElements gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<> Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=443258:443393 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4551537438490624 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 8 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 8 2017
,
May 8 2017
,
May 8 2017
,
May 8 2017
Unmerging while I investigate.
,
May 8 2017
,
May 8 2017
This one is a bug in osmesa, where it doesn't handle correctly glDrawElements being called with a number of vertices representing partial primitives in some cases. This is well defined in the spec (partial primitives are skipped), but the code makes the assumption that it's called with only complete primitives: replay_elts in third_party/mesa/src/src/mesa/vbo/vbo_split_copy.c:406 for (; j != prim->count && !split; ) for (k = 0; k < incr; k++, j++) split |= elt(copy, start+j); It assumes prim->count is a multiple of incr (otherwise may not even terminate and copies out-of-bounds). So, wontfix (we don't ship with osmesa in prod, and we will replace it with SwiftShader for tests soonish). But since the bug is specific to osmesa, it doesn't explain bug 719162 .
,
Jun 2 2017
ClusterFuzz has detected this issue as fixed in range 476474:476505. Detailed report: https://clusterfuzz.com/testcase?key=4551537438490624 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x3a94c166d000 Crash State: gpu::gles2::GLES2DecoderImpl::DoDrawElements gpu::gles2::GLES2DecoderImpl::HandleDrawElements gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<> Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=443258:443393 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=476474:476505 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4551537438490624 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, May 8 2017