Automatically assigning owner based on suspected regression changelist https://skia.googlesource.com/skia/+/e84b482b763e2e2f39722b495e24c82b4859dc8c (use validating readbuffer).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please add affected OSs.

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/1e18aa6d7df79ce36fa7f6b86dc24dc4ffe9a374

commit 1e18aa6d7df79ce36fa7f6b86dc24dc4ffe9a374
Author: Florin Malita <fmalita@chromium.org>
Date: Mon Nov 20 19:48:48 2017

Harden SkTextBlob deserialization

1) validate allocInternal args - these can originate either from users
  or deserialization
2) skip invoking SkTypefaceResolverProc if we failed to read a valid id
  in SkTypefaceResolverReadBuffer::readTypeface
3) validate textSize and buffer sanity in MakeFromBuffer before
  attempting to allocate runs

BUG= chromium:786524 

Change-Id: I6cf80dc60bc3ca6fcad7198d36dacf84d091b779
Reviewed-on: https://skia-review.googlesource.com/73521
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>

[modify] https://crrev.com/1e18aa6d7df79ce36fa7f6b86dc24dc4ffe9a374/src/core/SkTextBlob.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4e06baf1551da029dbd6e31f4c4325ff058fb1af

commit 4e06baf1551da029dbd6e31f4c4325ff058fb1af
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Mon Nov 20 23:50:19 2017

Roll src/third_party/skia/ 32eb5ba7a..e9d172af8 (4 commits)

https://skia.googlesource.com/skia.git/+log/32eb5ba7af4d..e9d172af84ff

$ git log 32eb5ba7a..e9d172af8 --date=short --no-merges --format='%ad %ae %s'
2017-11-20 ethannicholas converted ConstColorProcessor to SkSL
2017-11-20 jvanverth Enable tonal color for shadows by default.
2017-11-19 fmalita Harden SkTextBlob deserialization
2017-11-20 bsalomon Require glyph positions in SkAtlasTextTarget::drawText

Created with:
  roll-dep src/third_party/skia
BUG= 786524 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=herb@chromium.org

Change-Id: I2825c0cd29448437789c59f1dfd5b50bf90bec05
Reviewed-on: https://chromium-review.googlesource.com/780049
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517997}
[modify] https://crrev.com/4e06baf1551da029dbd6e31f4c4325ff058fb1af/DEPS

ClusterFuzz has detected this issue as fixed in range 517979:518006.

Detailed report: https://clusterfuzz.com/testcase?key=5859382641557504

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f9a82bfe844
Crash State:
  SkTextBlob::RunRecord::RunRecord
  SkTextBlobBuilder::allocInternal
  SkTextBlobBuilder::allocRunText
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=516771:516815
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=517979:518006

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5859382641557504

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5859382641557504 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot