Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/40adb55b190f1c1272be5d914354d89d67bf7632 (Remove DrawingRecorder's bounds parameter.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This doesn't have real impact to users.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7917059b8d61dd8e42e6b48907bd05bb02ff3e2b

commit 7917059b8d61dd8e42e6b48907bd05bb02ff3e2b
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Tue Oct 31 23:02:14 2017

Fix buffer overflow in DrawingDisplayItem::Equals()

We should use IntRect instead of FloatRect for the bounds of bitmap.
Previously the loop variables in BitmapEquals() exceeded the
actual bounds of the bitmap if the given FloatRect was not integral.

Bug:  779949 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ib814cc8d3dcdcd9404654cd1f6352fb98d1e15f9
Reviewed-on: https://chromium-review.googlesource.com/746988
Reviewed-by: Walter Korman <wkorman@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512988}
[modify] https://crrev.com/7917059b8d61dd8e42e6b48907bd05bb02ff3e2b/third_party/WebKit/Source/platform/graphics/paint/DrawingDisplayItem.cpp
[modify] https://crrev.com/7917059b8d61dd8e42e6b48907bd05bb02ff3e2b/third_party/WebKit/Source/platform/graphics/paint/DrawingDisplayItem.h
[modify] https://crrev.com/7917059b8d61dd8e42e6b48907bd05bb02ff3e2b/third_party/WebKit/Source/platform/graphics/paint/DrawingDisplayItemTest.cpp

ClusterFuzz has detected this issue as fixed in range 512981:513016.

Detailed report: https://clusterfuzz.com/testcase?key=4528142671937536

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f0de797ed00
Crash State:
  SkPixmap::getColor
  blink::DrawingDisplayItem::Equals
  blink::PaintController::CheckUnderInvalidation
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=511932:511984
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=512981:513016

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4528142671937536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4528142671937536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot