New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 787107 link

Starred by 1 user
Status: Verified
Owner:
reed@chromium.org
Email to this user bounced
Closed: Nov 2017
Cc:
vmp...@chromium.org
enne@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Abrt in sk_abort_no_print

Project Member Reported by enne@chromium.org, Nov 20 2017 
I think deserialization shouldn't assert and it should just fail gracefully.

(1) allocInternal asserts if textSize < 0, so SkTextBlob::makeFromBuffer should check from this.  (There's also inconsistency in terms of whether textSize is an int or a uint32_t.  It kind of gets passed around as either, which is odd.  Maybe they should all be one or the other?)

(2) Same thing with glyph count.

(3) The allocInternal font.getTextEncoding() assert also needs an early out.
Project Member

Comment 1 by ClusterFuzz, Nov 20 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5092971900043264.

Comment 2 by enne@chromium.org, Nov 20 2017

Cc: vmp...@chromium.org
Owner: bsalomon@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 3 by ClusterFuzz, Nov 21 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4794789332779008.

Comment 4 by enne@chromium.org, Nov 21 2017

Labels: -Pri-2 Pri-1

Comment 5 by bsalo...@google.com, Nov 21 2017

Owner: reed@chromium.org
Project Member

Comment 6 by ClusterFuzz, Nov 21 2017

Labels: Security_Impact-Head
Summary: Abrt in sk_abort_no_print (was: pobfuzz: SkTextBlob deserialization asserts)
Detailed report: https://clusterfuzz.com/testcase?key=5092971900043264

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Crash Type: Abrt
Crash Address: 0x03e900006848
Crash State:
  sk_abort_no_print
  SkTextBlobBuilder::allocInternal
  SkTextBlobBuilder::allocInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=516777:516819

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092971900043264

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 7 by ClusterFuzz, Nov 21 2017 

ClusterFuzz has detected this issue as fixed in range 517957:518005.

Detailed report: https://clusterfuzz.com/testcase?key=5092971900043264

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Crash Type: Abrt
Crash Address: 0x03e900006848
Crash State:
  sk_abort_no_print
  SkTextBlobBuilder::allocInternal
  SkTextBlobBuilder::allocInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=516777:516819
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=517957:518005

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092971900043264

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Nov 21 2017 

ClusterFuzz has detected this issue as fixed in range 517979:518006.

Detailed report: https://clusterfuzz.com/testcase?key=4794789332779008

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f67d8577844
Crash State:
  SkTextBlob::RunRecord::RunRecord
  SkTextBlobBuilder::allocInternal
  SkTextBlobBuilder::allocRunText
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=517979:518006

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4794789332779008

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Nov 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4794789332779008 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Nov 21 2017

Labels: Security_Severity-High
Detailed report: https://clusterfuzz.com/testcase?key=4794789332779008

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7f67d8577844
Crash State:
  SkTextBlob::RunRecord::RunRecord
  SkTextBlobBuilder::allocInternal
  SkTextBlobBuilder::allocRunText
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=514197:514231
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=517979:518006

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4794789332779008

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Sign in to add a comment