Null-dereference WRITE in blink::ImageBitmap::ImageBitmap |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5292270323761152 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference WRITE Crash Address: 0x00000000002e Crash State: blink::ImageBitmap::ImageBitmap blink::ImageBitmap::Create blink::ImageData::CreateImageBitmap Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=479057:479094 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5292270323761152 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 7 2017
,
Jul 10 2017
Assigning to concern owner from Predator results -- The result is a list of CLs that change the crashed files. Author: Reza.Zakerinasab Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/70d96a8266f71bb56e1cbbc54689b59d8eab5d40 Time: Tue Jun 13 15:55:57 2017 Lines 705-762 of file ImageBitmap.cpp which potentially caused crash are changed in this cl (frame #1, "blink::ImageBitmap::ImageBitmap"; frame #2, "ImageBitmap"). File ImageData.cpp is changed in this cl (and is part of stack frame #4, "blink::ImageData::CreateImageBitmap"; frame #5, "non-virtual thunk to blink::ImageData::CreateImageBitmap") Minimum distance from crash line to modified line: 0. (file: ImageBitmap.cpp, crashed on: 705, modified: 705). @zakerinasab -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jul 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a0d90a5df5cf55c20e5409419800bc379a21dd16 commit a0d90a5df5cf55c20e5409419800bc379a21dd16 Author: Reza.Zakerinasab <zakerinasab@chromium.org> Date: Wed Jul 12 21:43:37 2017 Use normalized crop rect when creating ImageBitmap When creating ImageBitmap from ImageData, if the intersection of source rect and crop rect is empty, we should create and return an empty ImageBitmap with the size of "normalized" crop rect. Bug: 739818 Change-Id: Ia405732fc9f2d3f1d97783bcab1a203508cab4e8 Reviewed-on: https://chromium-review.googlesource.com/565053 Reviewed-by: Justin Novosad <junov@chromium.org> Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Cr-Commit-Position: refs/heads/master@{#486090} [add] https://crrev.com/a0d90a5df5cf55c20e5409419800bc379a21dd16/third_party/WebKit/LayoutTests/external/wpt/2dcontext/imagebitmap/createImageBitmap-sizeOverflow.html [modify] https://crrev.com/a0d90a5df5cf55c20e5409419800bc379a21dd16/third_party/WebKit/Source/core/imagebitmap/ImageBitmap.cpp
,
Jul 13 2017
ClusterFuzz has detected this issue as fixed in range 486088:486144. Detailed report: https://clusterfuzz.com/testcase?key=5292270323761152 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference WRITE Crash Address: 0x00000000002e Crash State: blink::ImageBitmap::ImageBitmap blink::ImageBitmap::Create blink::ImageData::CreateImageBitmap Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=479057:479094 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=486088:486144 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5292270323761152 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2017
ClusterFuzz testcase 5292270323761152 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by shrike@chromium.org
, Jul 6 2017