PaintShader deserialization crash |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5682350813085696 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Abrt Crash Address: 0x03e9000047d3 Crash State: __cxxabiv1::failed_throw cc::PaintOpReader::Read cc::DrawRectOp::Deserialize Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=491858:491939 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5682350813085696 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 21 2017
,
Aug 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/540e20642a6ad79f5d6a64ff2d1399a9f155ec6a commit 540e20642a6ad79f5d6a64ff2d1399a9f155ec6a Author: Adrienne Walker <enne@chromium.org> Date: Wed Aug 23 17:59:14 2017 Fix PaintShader serialization size overflow If the number of colors requested was so large that multiplying into bytse would overflow, it would still attempt to read them. Fix this by adding more checks. Bug: 752758 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ibf8d5f068d50a9b473a9048efc24535f25074b48 Reviewed-on: https://chromium-review.googlesource.com/627025 Reviewed-by: Vladimir Levin <vmpstr@chromium.org> Commit-Queue: enne <enne@chromium.org> Cr-Commit-Position: refs/heads/master@{#496733} [modify] https://crrev.com/540e20642a6ad79f5d6a64ff2d1399a9f155ec6a/cc/paint/paint_op_reader.cc
,
Aug 24 2017
ClusterFuzz has detected this issue as fixed in range 496716:496775. Detailed report: https://clusterfuzz.com/testcase?key=5682350813085696 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Abrt Crash Address: 0x03e9000047d3 Crash State: __cxxabiv1::failed_throw cc::PaintOpReader::Read cc::DrawRectOp::Deserialize Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=491858:491939 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=496716:496775 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5682350813085696 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 24 2017
ClusterFuzz testcase 5682350813085696 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by enne@chromium.org
, Aug 7 2017Owner: vmp...@chromium.org
Status: Assigned (was: Untriaged)
Summary: PaintShader deserialization crash (was: Abrt in __cxxabiv1::failed_throw)