Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in tt_glyph_load |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5859032765300736 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: tt_glyph_load FT_Load_Glyph SkScalerContext_FreeType::generateMetrics Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=489402:489491 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5859032765300736 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 28 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28 2017
,
Jul 28 2017
,
Jul 31 2017
,
Jul 31 2017
,
Aug 1 2017
The following revision refers to this bug: https://skia.googlesource.com/skia/+/4bd3b0905477ea1f005526818305c9a10ef2f6f8 commit 4bd3b0905477ea1f005526818305c9a10ef2f6f8 Author: Ben Wagner <bungeman@google.com> Date: Tue Aug 01 18:06:19 2017 Assert text passed to canvas is initialized. A new fuzzer appears to be complaining about using uninitialized glyph ids. These uninitilized glyph ids appear to be comming from far up the stack, but they don't actually get used until much later. If Skia is passed uninitialized memory in a draw call it will of course eventually need to use it and be blamed when it does. This change will make it obvious if the issue is up stack from Skia. BUG= chromium:750070 , chromium:750071 , chromium:750072 Change-Id: Ic6ca2f6af3620ad4a31cb017570f42550360891a Reviewed-on: https://skia-review.googlesource.com/29421 Reviewed-by: Mike Klein <mtklein@chromium.org> Commit-Queue: Ben Wagner <bungeman@google.com> [modify] https://crrev.com/4bd3b0905477ea1f005526818305c9a10ef2f6f8/src/core/SkCanvas.cpp
,
Aug 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/47461c01b360cd971a176b306d0d939ca72da2d3 commit 47461c01b360cd971a176b306d0d939ca72da2d3 Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org> Date: Tue Aug 01 21:57:17 2017 Roll src/third_party/skia/ 7516c2775..249ee1f98 (10 commits) https://skia.googlesource.com/skia.git/+log/7516c2775c30..249ee1f985b4 $ git log 7516c2775..249ee1f98 --date=short --no-merges --format='%ad %ae %s' 2017-08-01 mtklein clamp to 0 in repeat and mirror image tilers 2017-08-01 brianosman Guard against D3D NaN/Infinity literals bug 2017-08-01 ethannicholas support for 'half' types in sksl, plus general numeric type improvements 2017-08-01 bungeman Assert text passed to canvas is initialized. 2017-08-01 mtklein Add Perf-Win2k8-Clang bots. 2017-08-01 liyuqian Revert "Revert "Revert "Add support for semaphores to be inserted on GrContext flush""" 2017-08-01 bsalomon Allow RegionOp to be used for stenciling 2017-08-01 brianosman Remove unused code for index 8 2017-08-01 robertphillips Roll ANGLE 2017-08-01 egdaniel Revert "Revert "Add support for semaphores to be inserted on GrContext flush"" Created with: roll-dep src/third_party/skia BUG= 749260 , 750070 , 750071 , 750072 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel TBR=liyuqian@chromium.org Change-Id: I7026762d2d4d4c8423e909c82f6f0216f5aaebb1 Reviewed-on: https://chromium-review.googlesource.com/596829 Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org> Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#491127} [modify] https://crrev.com/47461c01b360cd971a176b306d0d939ca72da2d3/DEPS
,
Aug 2 2017
ClusterFuzz has detected this issue as fixed in range 491121:491239. Detailed report: https://clusterfuzz.com/testcase?key=5859032765300736 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: tt_glyph_load FT_Load_Glyph SkScalerContext_FreeType::generateMetrics Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=489402:489491 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=491121:491239 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5859032765300736 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 2 2017
ClusterFuzz testcase 5859032765300736 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 2 2017
,
Oct 5 2017
,
Nov 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 27 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 28 2017