New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 787124 link

Starred by 1 user
Status: Verified
Owner:
bsalomon@chromium.org
Last visit > 30 days ago
Closed: Nov 2017
Cc:
vmp...@chromium.org
enne@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

pobfuzz: SkRRect::computeType vs isValid inconsistency

Project Member Reported by enne@chromium.org, Nov 20 2017 
SkRRect::readFromMemory can assert on bad rrects.

computeType always asserts isValid, but I think this is incorrect to do.  For example, if fRect is empty, then it says the type is empty, but isValid then checks all the radii.

It seems like maybe readFromMemory should check (but not assert) on isValid and return 0 if it's not.
Project Member

Comment 1 by ClusterFuzz, Nov 20 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6211117075660800.

Comment 2 by enne@chromium.org, Nov 20 2017

Owner: bsalomon@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 3 by ClusterFuzz, Nov 21 2017

Labels: Security_Impact-Beta
Detailed report: https://clusterfuzz.com/testcase?key=6211117075660800

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Crash Type: Abrt
Crash Address: 0x03e900004892
Crash State:
  sk_abort_no_print
  SkRRect::computeType
  SkRRect::computeType
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=503567:503617

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6211117075660800

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 4 by bsalo...@google.com, Nov 21 2017 

Yeah, I'd generalize it to never deserializing a rrect with negative a negative radius.
Project Member

Comment 5 by ClusterFuzz, Nov 27 2017

Labels: OS-Linux
Project Member

Comment 6 by ClusterFuzz, Nov 28 2017 

ClusterFuzz has detected this issue as fixed in range 519302:519318.

Detailed report: https://clusterfuzz.com/testcase?key=6211117075660800

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Crash Type: Abrt
Crash Address: 0x03e900004892
Crash State:
  sk_abort_no_print
  SkRRect::computeType
  SkRRect::computeType
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=503567:503617
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=519302:519318

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6211117075660800

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 28 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6211117075660800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment