Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in sse41::blit_row_s32a_opaque |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5746585047924736 Fuzzer: marty_html_twiddler Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque SkARGB32_Shader_Blitter::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=491035:491089 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5746585047924736 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 13 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 13 2017
,
Sep 13 2017
,
Sep 14 2017
,
Sep 26 2017
Probably regression from https://chromium.googlesource.com/chromium/src/+/d09da8ef0ef6295d8a7e56147f22c0c70d4369ff There is no skia roll, removing skia component.
,
Sep 27 2017
pdr: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 27 2017
I manually bisected this down to "Fix rounding of very large and very small LayoutUnits." (https://chromium.googlesource.com/chromium/src/+/a7b04f8fe15406cbf98995da00fc63f73e9fff61) and am working on a fix.
,
Oct 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0df57dd968fae7d34c468d4861f629e62a698c26 commit 0df57dd968fae7d34c468d4861f629e62a698c26 Author: Philip Rogers <pdr@chromium.org> Date: Sun Oct 01 21:35:42 2017 Ensure scrollbar bitmap is fully initialized PaintedScrollbarLayer::RasterizeScrollbarPart needs to ensure the scrollbar bitmap is initialized. The approach was susceptible to floating point errors: SkRect rect = SkRect::MakeXYWH(x, y, w, h); canvas->translate(-rect.x(), -rect.y()); canvas->drawRect(rect, p); If x or y is large, a rect of (w, h) may not actually be drawn. See the following fiddle: https://fiddle.skia.org/c/b31704a2f4e56979f095b6007be74b54. This patch clears the scrollbar bitmap before scaling and translating. A TODO has been added to further improve the code by not painting with an offset. A test has been added that is only useful for the msan fuzzer. Bug: 764399 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I6364ec9d69924b4947fb8fcdbb3538a663cd0bed Reviewed-on: https://chromium-review.googlesource.com/687978 Commit-Queue: Philip Rogers <pdr@chromium.org> Reviewed-by: enne <enne@chromium.org> Cr-Commit-Position: refs/heads/master@{#505522} [modify] https://crrev.com/0df57dd968fae7d34c468d4861f629e62a698c26/cc/layers/painted_scrollbar_layer.cc [add] https://crrev.com/0df57dd968fae7d34c468d4861f629e62a698c26/third_party/WebKit/LayoutTests/scrollbars/scrollbar-position-crash-expected.txt [add] https://crrev.com/0df57dd968fae7d34c468d4861f629e62a698c26/third_party/WebKit/LayoutTests/scrollbars/scrollbar-position-crash.html
,
Oct 2 2017
ClusterFuzz has detected this issue as fixed in range 505521:505522. Detailed report: https://clusterfuzz.com/testcase?key=5746585047924736 Fuzzer: marty_html_twiddler Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque SkARGB32_Shader_Blitter::blitRect SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=491035:491089 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=505521:505522 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5746585047924736 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 2 2017
ClusterFuzz testcase 5746585047924736 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 2 2017
,
Oct 5 2017
,
Jan 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 13 2017