Null-dereference READ in blink::ApplyColorSpaceConversion |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6725794088091648 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::ApplyColorSpaceConversion blink::ImageBitmap::ImageBitmap blink::ImageBitmap::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=512306:512363 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6725794088091648 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 1 2017
,
Nov 1 2017
A cl is uploaded for review that should fix this. I'll try to land it asap.
,
Nov 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d0c2494ddaca47ad39b33126d67e2ca579b03772 commit d0c2494ddaca47ad39b33126d67e2ca579b03772 Author: Reza.Zakerinasab <zakerinasab@chromium.org> Date: Thu Nov 02 16:15:31 2017 Protect StaticBitmapImage refereces against nullptr in ImageBitmap This change adds some checks to ImageBitmap to protect scoped_refptr<StaticBitmapImage> objects usages against failures in memory allocations, etc. Bug: 780358 Change-Id: I05bd4b048d0fcef8ceed933175be8ecad065830f Reviewed-on: https://chromium-review.googlesource.com/749527 Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org> Reviewed-by: Justin Novosad <junov@chromium.org> Cr-Commit-Position: refs/heads/master@{#513505} [modify] https://crrev.com/d0c2494ddaca47ad39b33126d67e2ca579b03772/third_party/WebKit/Source/core/imagebitmap/ImageBitmap.cpp [modify] https://crrev.com/d0c2494ddaca47ad39b33126d67e2ca579b03772/third_party/WebKit/Source/core/imagebitmap/ImageBitmapTest.cpp
,
Nov 2 2017
This should be fixed now. Waiting for automatic verify by the fuzzer.
,
Nov 3 2017
ClusterFuzz has detected this issue as fixed in range 513496:513524. Detailed report: https://clusterfuzz.com/testcase?key=6725794088091648 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::ApplyColorSpaceConversion blink::ImageBitmap::ImageBitmap blink::ImageBitmap::Create Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=512306:512363 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=513496:513524 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6725794088091648 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 3 2017
ClusterFuzz testcase 6725794088091648 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 27 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by kkaluri@chromium.org
, Nov 1 2017Components: Blink>Image
Labels: M-64 Test-Predator-Wrong
Owner: zakerinasab@chromium.org
Status: Assigned (was: Untriaged)