This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

benjaminwagner: Can you please take a look at this and help find the right owner? The range does not seem to be too useful. Thanks!

I'm guessing this was meant for bungeman.

Most recent change in this area was 2017-06-01, but I'm guessing this has been an issue since https://skia-review.googlesource.com/c/4722/

We shouldn't block 61 stable on this, though should be addressed sooner than later...

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/4bd3b0905477ea1f005526818305c9a10ef2f6f8

commit 4bd3b0905477ea1f005526818305c9a10ef2f6f8
Author: Ben Wagner <bungeman@google.com>
Date: Tue Aug 01 18:06:19 2017

Assert text passed to canvas is initialized.

A new fuzzer appears to be complaining about using uninitialized glyph
ids. These uninitilized glyph ids appear to be comming from far up the
stack, but they don't actually get used until much later. If Skia is
passed uninitialized memory in a draw call it will of course eventually
need to use it and be blamed when it does. This change will make it
obvious if the issue is up stack from Skia.

BUG= chromium:750070 , chromium:750071 , chromium:750072 

Change-Id: Ic6ca2f6af3620ad4a31cb017570f42550360891a
Reviewed-on: https://skia-review.googlesource.com/29421
Reviewed-by: Mike Klein <mtklein@chromium.org>
Commit-Queue: Ben Wagner <bungeman@google.com>

[modify] https://crrev.com/4bd3b0905477ea1f005526818305c9a10ef2f6f8/src/core/SkCanvas.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/47461c01b360cd971a176b306d0d939ca72da2d3

commit 47461c01b360cd971a176b306d0d939ca72da2d3
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Tue Aug 01 21:57:17 2017

Roll src/third_party/skia/ 7516c2775..249ee1f98 (10 commits)

https://skia.googlesource.com/skia.git/+log/7516c2775c30..249ee1f985b4

$ git log 7516c2775..249ee1f98 --date=short --no-merges --format='%ad %ae %s'
2017-08-01 mtklein clamp to 0 in repeat and mirror image tilers
2017-08-01 brianosman Guard against D3D NaN/Infinity literals bug
2017-08-01 ethannicholas support for 'half' types in sksl, plus general numeric type improvements
2017-08-01 bungeman Assert text passed to canvas is initialized.
2017-08-01 mtklein Add Perf-Win2k8-Clang bots.
2017-08-01 liyuqian Revert "Revert "Revert "Add support for semaphores to be inserted on GrContext flush"""
2017-08-01 bsalomon Allow RegionOp to be used for stenciling
2017-08-01 brianosman Remove unused code for index 8
2017-08-01 robertphillips Roll ANGLE
2017-08-01 egdaniel Revert "Revert "Add support for semaphores to be inserted on GrContext flush""

Created with:
  roll-dep src/third_party/skia
BUG= 749260 , 750070 , 750071 , 750072 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=liyuqian@chromium.org

Change-Id: I7026762d2d4d4c8423e909c82f6f0216f5aaebb1
Reviewed-on: https://chromium-review.googlesource.com/596829
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#491127}
[modify] https://crrev.com/47461c01b360cd971a176b306d0d939ca72da2d3/DEPS

ClusterFuzz has detected this issue as fixed in range 490981:491030.

Detailed report: https://clusterfuzz.com/testcase?key=5965933159120896

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkPackedID::operator==
  =
  SkGlyphCache::lookupByChar
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=489402:489491
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=490981:491030

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5965933159120896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5965933159120896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot