This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Cluster-fuzz marked this as a regression but I don't see any candidates in the range (and in particular, no Skia rolls).

Is anyone on the Skia team able to help triage this?

Probably triggered by "Statically link own version of FreeType on Linux" ?

Perhaps exposed through the static FreeType linkage CL, which brings in a newer FreeType version than what the inferno_twister_c/linux_asan_chrome_media tests used to run before, since we do not rely on the platform's FreeType version anymore. Are the linux_asan_chrome_media tests run through the chrome or through the content_shell executable? content_shell used to link FreeType statically even before.

Still, I believe the Skia team would be the right team to investigate thisand perhaps reduce this to a FreeType issue? Mike, could you take a look or route this appropriately?

Probably should route to Ben but he is out for a while, so leave w/ Mike for a look.

bungeman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

bungeman: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/c3aef18419c1bb16951370e11758c7ef131fa10b

commit c3aef18419c1bb16951370e11758c7ef131fa10b
Author: Ben Wagner <bungeman@google.com>
Date: Tue Jun 27 14:01:35 2017

Load FreeType glyph bitmap before emboldening.

If a bitmap glyph was loaded with FT_LOAD_BITMAP_METRICS_ONLY then the
glyph must be re-loaded without this flag before accessing the bitmap.

BUG= chromium:725975 

Change-Id: If5e5a6844e9c32238560135e141fea7f77ad7fac
Reviewed-on: https://skia-review.googlesource.com/20830
Reviewed-by: Herb Derby <herb@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Ben Wagner <bungeman@google.com>

[modify] https://crrev.com/c3aef18419c1bb16951370e11758c7ef131fa10b/src/ports/SkFontHost_FreeType.cpp

Thank you for taking care of this, Ben! Good work.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/383b1531c8cc2045bf7fce9f8eabd800ce9db007

commit 383b1531c8cc2045bf7fce9f8eabd800ce9db007
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Tue Jun 27 16:39:35 2017

Roll src/third_party/skia/ 70e3e9adc..ed5020068 (5 commits)

https://skia.googlesource.com/skia.git/+log/70e3e9adc57d..ed50200682e0

$ git log 70e3e9adc..ed5020068 --date=short --no-merges --format='%ad %ae %s'
2017-06-27 ethannicholas Revert "sksl fragment processor support"
2017-06-27 ethannicholas sksl fragment processor support
2017-06-26 bungeman Load FreeType glyph bitmap before emboldening.
2017-06-19 mtklein add _hsw lowp backend
2017-06-26 jvanverth Add shading language version to GL dump

Created with:
  roll-dep src/third_party/skia
BUG= 725975 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=robertphillips@chromium.org

Change-Id: I6daab463fa4997e6d23f98f0a31d76921084664a
Reviewed-on: https://chromium-review.googlesource.com/550316
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#482648}
[modify] https://crrev.com/383b1531c8cc2045bf7fce9f8eabd800ce9db007/DEPS

ClusterFuzz has detected this issue as fixed in range 482636:482655.

Detailed report: https://clusterfuzz.com/testcase?key=6577051430813696

Fuzzer: inferno_twister_c
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x619000030180
Crash State:
  copyFTBitmap
  SkScalerContext_FreeType_Base::generateGlyphImage
  SkScalerContext_FreeType::generateImage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=470069:470142
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=482636:482655

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577051430813696


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The actual merge doesn't require any DEPS, this is just merging Skia change https://skia.googlesource.com/skia/+/c3aef18419c1bb16951370e11758c7ef131fa10b into Skia's chrome/m60 branch.

This bug meets the bar for merge to M60. Approving merge. (branch: 3112)

Skia change https://skia.googlesource.com/skia/+/c3aef18419c1bb16951370e11758c7ef131fa10b into Skia's chrome/m60 branch as https://skia.googlesource.com/skia/+/8386aa8a3bdc682ff9daa6c559d593b9d5c4a5d1 .

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot