This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

geofflang@: The ANGLE fuzzer has hit a security regression, are you able to investigate?

There is an ANGLE roll in the regression range, but I don't see any obvious candidates for having caused this.

I'll take this, thanks.  It's likely a newly found bug, not a regression.

Removing the release-block, this code is not released yet.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/59d2ca1729430fc7713e642d04a772773248f030

commit 59d2ca1729430fc7713e642d04a772773248f030
Author: geofflang <geofflang@chromium.org>
Date: Wed May 31 15:16:50 2017

Track currently bound external and multisample textures.

This caused assertions in glBindTexture even when binding 0. Caught by
the fuzzer which uses an ES 3.1 context.

BUG= 726265 
BUG= 719933 
BUG= 719803 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2909683002
Cr-Commit-Position: refs/heads/master@{#475912}

[modify] https://crrev.com/59d2ca1729430fc7713e642d04a772773248f030/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc

ClusterFuzz has detected this issue as fixed in range 476362:476435.

Detailed report: https://clusterfuzz.com/testcase?key=5925209260687360

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x6100000007fc
Crash State:
  gpu::gles2::GLES2DecoderPassthroughImpl::DoBindTexture
  gpu::gles2::GLES2DecoderPassthroughImpl::DoCommands
  gpu::CommandExecutor::ProcessCommands
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=470035:470101
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=476362:476435

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5925209260687360


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5925209260687360 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing security and merge labels.  This bug is not exposed in any Chrome release.