Issue metadata
Sign in to add a comment
|
Crash in _sk_byte_tables_avx |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5504640350420992 Fuzzer: inferno_twister_c Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x61a080004318 Crash State: _sk_byte_tables_avx SkBlitter::blitV antifilldot8 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=482664:482716 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5504640350420992 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 7 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 7 2017
,
Jul 7 2017
,
Jul 10 2017
reed@, could you help triage this issue? Thanks!
,
Jul 10 2017
,
Jul 10 2017
This smells like we're reading off the end of the table color filter's table. A safety clamp_0, clamp_1 after unpremul might do the trick? I'd kind of want to see this repro to be sure. I think whatever's going on here will be incidentally fixed by rolling out the new linear<->sRGB color filters.
,
Jul 11 2017
mtklein: assigning to you to remove from the sheriff queue. Feel free to re-assign as needed. Thanks!
,
Jul 11 2017
A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.
,
Jul 18 2017
I suspect https://chromium-review.googlesource.com/c/560151/ will incidentally fix this by moving away from the crashing table-lookup code to using math. If it doesn't land tomorrow or landing doesn't fix it, I'll definitely investigate a more focused fix.
,
Jul 19 2017
ClusterFuzz testcase 4850680979521536 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 19 2017
ClusterFuzz has detected this issue as fixed in range 487647:487701. Detailed report: https://clusterfuzz.com/testcase?key=5504640350420992 Fuzzer: inferno_twister_c Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x61a080004318 Crash State: _sk_byte_tables_avx SkBlitter::blitV antifilldot8 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=482664:482716 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=487647:487701 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5504640350420992 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 19 2017
,
Jul 26 2017
,
Oct 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 7 2017