New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 787712 link

Starred by 1 user
Status: Verified
Owner:
fmalita@chromium.org
Closed: Nov 2017
Cc:
herb@chromium.org
kjlubick@chromium.org
hcm@chromium.org
kjlubick@google.com
ethannicholas@chromium.org
pelizzi@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use After Free (write) in SkPerlinNoiseShaderImpl

Project Member Reported by metzman@chromium.org, Nov 22 2017 
I found this crash using the filter_proto_fuzzer I am working on.

A write to a freed pointer can be caused by a specially crafted Image Filter.

REPRODUCTION CASE

1. Build filter_fuzz_stub with these arguments:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
pdf_enable_xfa = true
proprietary_codecs = true
use_goma = true
is_debug = false
is_asan = true
optimize_for_fuzzing=true

2. Run filter_fuzz_stub on the attached input (skia-use-after-free)

Note that this also crashes under MSAN which says the issue is use-of-uninitialized-value.
The crash can also e reproduced without any sanitizers by passing skia-use-after-free twice to filter_fuzz_stub (ie: "filter_fuzz_stub skia-use-after-free skia-use-after-free"). It seems that this invalid write won't cause a crash when done once without any sanitizers. The crash without any sanitizers has this message: "../../third_party/tcmalloc/chromium/src/free_list.h:118] Memory corruption detected."

Below is the stack trace that ASAN outputs when filter_fuzz_stub is run on the attached input.

[1121/223657.905569:INFO:filter_fuzz_stub.cc(61)] Test case: skia-use-after-free
[1121/223657.905988:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
=================================================================
==166319==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000002028 at pc 0x00000075b782 bp 0x7ffdd1f8a730 sp 0x7ffdd1f8a728
WRITE of size 4 at 0x608000002028 thread T0
    #0 0x75b781 in fetch_add buildtools/third_party/libc++/trunk/include/atomic:1017:17
    #1 0x75b781 in SkRefCntBase::unref() const third_party/skia/include/core/SkRefCnt.h:84
    #2 0xdf2540 in SkPerlinNoiseShaderImpl::PaintingData::~PaintingData() third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:90:12
    #3 0xdef4ea in SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext::~PerlinNoiseShaderContext() third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:331:11
    #4 0xdf2603 in SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext* SkArenaAlloc::make<SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext, SkPerlinNoiseShaderImpl const&, SkShaderBase::ContextRec const&>(SkPerlinNoiseShaderImpl const&, SkShaderBase::ContextRec const&)::{lambda(char*)#1}::operator()(char*) const third_party/skia/src/core/SkArenaAlloc.h:96:34
    #5 0xaacf67 in SkArenaAlloc::RunDtorsOnBlock(char*) third_party/skia/src/core/SkArenaAlloc.cpp:88:21
    #6 0xaad227 in SkArenaAlloc::NextBlock(char*) third_party/skia/src/core/SkArenaAlloc.cpp:96:5
    #7 0xaacf67 in SkArenaAlloc::RunDtorsOnBlock(char*) third_party/skia/src/core/SkArenaAlloc.cpp:88:21
    #8 0xa68829 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:1038:1
    #9 0xa69185 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1130:11
    #10 0xa2bac7 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const third_party/skia/src/core/SkDraw.h:56:15
    #11 0xa6712a in draw_rect_as_path(SkDraw const&, SkRect const&, SkPaint const&, SkMatrix const*) third_party/skia/src/core/SkDraw.cpp:732:10
    #12 0xa6690e in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:759:9
    #13 0xa2b527 in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195:18
    #14 0xa1b6d5 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2029:27
    #15 0xa15dba in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
    #16 0xde0385 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
    #17 0xab6e94 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
    #18 0xa2d80e in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #19 0xa10115 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
    #20 0xa0c050 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
    #21 0xa1184c in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
    #22 0xa1f12e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
    #23 0xa189a8 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
    #24 0x75c40f in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #25 0x75afcd in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
    #26 0x75aac6 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10
    #27 0x7fa3e8cdaf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

0x608000002028 is located 8 bytes inside of 88-byte region [0x608000002020,0x608000002078)
freed by thread T0 here:
    #0 0x758682 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3
    #1 0xdf2540 in SkPerlinNoiseShaderImpl::PaintingData::~PaintingData() third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:90:12
    #2 0xdef4ea in SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext::~PerlinNoiseShaderContext() third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:331:11
    #3 0xa96def in Sk3DShader::Sk3DShaderContext::~Sk3DShaderContext() third_party/skia/src/core/SkBlitter.cpp:720:32
    #4 0xa96d53 in Sk3DShader::Sk3DShaderContext* SkArenaAlloc::make<Sk3DShader::Sk3DShaderContext, Sk3DShader const&, SkShaderBase::ContextRec const&, SkShaderBase::Context*&>(Sk3DShader const&, SkShaderBase::ContextRec const&, SkShaderBase::Context*&)::{lambda(char*)#1}::operator()(char*) const third_party/skia/src/core/SkArenaAlloc.h:96:34
    #5 0xaacf67 in SkArenaAlloc::RunDtorsOnBlock(char*) third_party/skia/src/core/SkArenaAlloc.cpp:88:21
    #6 0xa68829 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:1038:1
    #7 0xa69185 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1130:11
    #8 0xa2bac7 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const third_party/skia/src/core/SkDraw.h:56:15
    #9 0xa6712a in draw_rect_as_path(SkDraw const&, SkRect const&, SkPaint const&, SkMatrix const*) third_party/skia/src/core/SkDraw.cpp:732:10
    #10 0xa6690e in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:759:9
    #11 0xa2b527 in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195:18
    #12 0xa1b6d5 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2029:27
    #13 0xa15dba in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
    #14 0xde0385 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
    #15 0xab6e94 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
    #16 0xa2d80e in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #17 0xa10115 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
    #18 0xa0c050 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
    #19 0xa1184c in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
    #20 0xa1f12e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
    #21 0xa189a8 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
    #22 0x75c40f in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #23 0x75afcd in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
    #24 0x75aac6 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10
    #25 0x7fa3e8cdaf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x757aa2 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3
    #1 0xac2667 in SkMallocPixelRef::MakeDirect(SkImageInfo const&, void*, unsigned long) third_party/skia/src/core/SkMallocPixelRef.cpp:34:30
    #2 0x9f5313 in SkBitmap::setPixels(void*) third_party/skia/src/core/SkBitmap.cpp:223:23
    #3 0xdea212 in SkPerlinNoiseShaderImpl::PaintingData::PaintingData(SkISize const&, float, float, float, SkMatrix const&) third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:135:29
    #4 0xde9b83 in SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext::PerlinNoiseShaderContext(SkPerlinNoiseShaderImpl const&, SkShaderBase::ContextRec const&) third_party/skia/src/shaders/SkPerlinNoiseShader.cpp:653:7
    #5 0xde9a38 in SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext* SkArenaAlloc::make<SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext, SkPerlinNoiseShaderImpl const&, SkShaderBase::ContextRec const&>(SkPerlinNoiseShaderImpl const&, SkShaderBase::ContextRec const&) third_party/skia/src/core/SkArenaAlloc.h:103:30
    #6 0xa966f6 in Sk3DShader::onMakeContext(SkShaderBase::ContextRec const&, SkArenaAlloc*) const third_party/skia/src/core/SkBlitter.cpp:696:43
    #7 0xc8a3d5 in SkShaderBase::onAppendStages(SkShaderBase::StageRec const&) const third_party/skia/src/shaders/SkShader.cpp:226:34
    #8 0xb85510 in SkCreateRasterPipelineBlitter(SkPixmap const&, SkPaint const&, SkMatrix const&, SkArenaAlloc*) third_party/skia/src/core/SkRasterPipelineBlitter.cpp:118:17
    #9 0xa927d8 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) third_party/skia/src/core/SkBlitter.cpp:1001:24
    #10 0xa68c0d in SkAutoBlitterChoose::choose(SkPixmap const&, SkMatrix const&, SkPaint const&, bool) third_party/skia/src/core/SkAutoBlitterChoose.h:34:20
    #11 0xa68687 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const third_party/skia/src/core/SkDraw.cpp:983:24
    #12 0xa69185 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1130:11
    #13 0xa2bac7 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const third_party/skia/src/core/SkDraw.h:56:15
    #14 0xa6712a in draw_rect_as_path(SkDraw const&, SkRect const&, SkPaint const&, SkMatrix const*) third_party/skia/src/core/SkDraw.cpp:732:10
    #15 0xa6690e in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:759:9
    #16 0xa2b527 in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195:18
    #17 0xa1b6d5 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2029:27
    #18 0xa15dba in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
    #19 0xde0385 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
    #20 0xab6e94 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
    #21 0xa2d80e in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #22 0xa10115 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
    #23 0xa0c050 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
    #24 0xa1184c in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
    #25 0xa1f12e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
    #26 0xa189a8 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
    #27 0x75c40f in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #28 0x75afcd in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
    #29 0x75aac6 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10

SUMMARY: AddressSanitizer: heap-use-after-free buildtools/third_party/libc++/trunk/include/atomic:1017:17 in fetch_add
Shadow bytes around the buggy address:
  0x0c107fff83b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff83c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c107fff83d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff83e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fff83f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fff8400: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fa
  0x0c107fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==166319==ABORTING
skia-use-after-free
216 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Nov 22 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4895202446934016.

Comment 2 by jialiul@chromium.org, Nov 22 2017

Labels: M-63 Security_Severity-High Needs-Feedback Pri-1
Owner: ethannicholas@chromium.org
Status: Assigned (was: Unconfirmed)
 metzman@, could you update the platform information and whether it impacts HEAD or any specific channel? 

ethannicholas@, could you help triage this issue, since you are the expert in third_party/skia/src/shaders/* ?

Thanks!
Project Member

Comment 3 by ClusterFuzz, Nov 22 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4683587260776448.

Comment 4 by metzman@chromium.org, Nov 22 2017 

It impacts HEAD on linux. I believe the job type on clusterfuzz was incorrect (the stacktrace looks like it is from chrome not filter_fuzz_stub), so I ran another analysis with the correct one.
You can reproduce it with filter_fuzz_stub from here: https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-release-518704.zip?generation=1511380006187831&alt=media

I'll also note that filter_fuzz_stub didn't read the testcase when I passed it in as ../skia-use-after-free and I needed to move it to the same directory and pass it in as skia-use-after-free (I think it won't read files from the parent directory or something).

Comment 5 by mea...@chromium.org, Nov 22 2017

Labels: Security_Impact-Head

Comment 6 Deleted

Comment 7 by metzman@chromium.org, Nov 22 2017 

@meacer and @jialiul, sorry I misunderstood @jialiul's request: I don't know if it impacts other channels, I only know that it impacts HEAD.

Comment 8 by jialiul@chromium.org, Nov 22 2017

Labels: OS-Linux

Comment 9 by mea...@chromium.org, Nov 22 2017

Labels: -Security_Impact-Head
metzman@: Thanks! In that case I'm dropping the label.

ethannicholas@: Could you please help assign an Security-Impact label as well?
Project Member

Comment 10 by ClusterFuzz, Nov 23 2017

Labels: Security_Impact-Stable
Detailed report: https://clusterfuzz.com/testcase?key=4683587260776448

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x60e000003a48
Crash State:
  SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext::~PerlinNoiseShaderContext
  SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext* SkArenaAlloc::make<SkPerlinNo
  SkArenaAlloc::NextBlock
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=476154:476189

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4683587260776448

See https://github.com/google/clusterfuzz-tools for more information.

Comment 11 by hcm@chromium.org, Nov 28 2017

Cc: ethannicholas@chromium.org
Owner: hcm@chromium.org
change ownership to hopefully see CF report, I thought we fixed this requirement some time ago??

Comment 12 by hcm@chromium.org, Nov 28 2017

Cc: hcm@chromium.org
Owner: fmalita@chromium.org
Not likely a regression, new fuzzer that has found a latent issue.  

To Florin for a look at where we might be able to avoid...

Comment 13 by fmalita@chromium.org, Nov 28 2017

Status: Started (was: Assigned)

Comment 14 by fmalita@chromium.org, Nov 28 2017

Cc: herb@chromium.org
Project Member

Comment 15 by bugdroid1@chromium.org, Nov 29 2017 

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/1ba5bfe59056f7d8c040628508a20ee95cc6b76a

commit 1ba5bfe59056f7d8c040628508a20ee95cc6b76a
Author: Florin Malita <fmalita@chromium.org>
Date: Wed Nov 29 02:33:28 2017

Avoid double-destruction of Sk3DShaderContext-wrapped objects

Sk3DShaderContext creates its nested shader context on a SkArenaAlloc,
which handles destruction when going out of scope.

Hence, the explicit context dtor call in ~Sk3DShaderContext() is
incorrect (likely left over from before SkArenaAlloc).

BUG= chromium:787712 

Change-Id: I176222e449151dcce532a839ef9587d06f61d297
Reviewed-on: https://skia-review.googlesource.com/77203
Commit-Queue: Herb Derby <herb@google.com>
Reviewed-by: Herb Derby <herb@google.com>

[modify] https://crrev.com/1ba5bfe59056f7d8c040628508a20ee95cc6b76a/src/core/SkBlitter.cpp
[modify] https://crrev.com/1ba5bfe59056f7d8c040628508a20ee95cc6b76a/tests/BlurTest.cpp

Comment 16 by fmalita@chromium.org, Nov 29 2017

Status: Fixed (was: Started)
Project Member

Comment 17 by bugdroid1@chromium.org, Nov 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/652ef9b0f31cb371842413fb670398a8c01c53cd

commit 652ef9b0f31cb371842413fb670398a8c01c53cd
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Nov 29 06:17:01 2017

Roll src/third_party/skia/ 7b8e30a19..1ba5bfe59 (1 commit)

https://skia.googlesource.com/skia.git/+log/7b8e30a19692..1ba5bfe59056

$ git log 7b8e30a19..1ba5bfe59 --date=short --no-merges --format='%ad %ae %s'
2017-11-28 fmalita Avoid double-destruction of Sk3DShaderContext-wrapped objects

Created with:
  roll-dep src/third_party/skia
BUG= 787712 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=allanmac@chromium.org

Change-Id: If7cd94744124d052c2a6a09ba7ca2f1d4dbbdede
Reviewed-on: https://chromium-review.googlesource.com/795217
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#520030}
[modify] https://crrev.com/652ef9b0f31cb371842413fb670398a8c01c53cd/DEPS
Project Member

Comment 18 by ClusterFuzz, Nov 29 2017 

ClusterFuzz has detected this issue as fixed in range 520028:520030.

Detailed report: https://clusterfuzz.com/testcase?key=4683587260776448

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x60e000003a48
Crash State:
  SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext::~PerlinNoiseShaderContext
  SkPerlinNoiseShaderImpl::PerlinNoiseShaderContext* SkArenaAlloc::make<SkPerlinNo
  SkArenaAlloc::NextBlock
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=476154:476189
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=520028:520030

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4683587260776448

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 19 by ClusterFuzz, Nov 29 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4683587260776448 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 20 by sheriffbot@chromium.org, Nov 29 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 21 by awhalley@google.com, Dec 4 2017

Labels: -M-63 M-64
Project Member

Comment 22 by sheriffbot@chromium.org, Dec 15 2017

Labels: Merge-Request-64
Project Member

Comment 23 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by fmalita@chromium.org, Dec 15 2017

Labels: -Hotlist-Merge-Review -Merge-Review-64
The fix should be in M64 already, nothing to merge.

Comment 25 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com

Comment 26 by awhalley@google.com, Jan 22 2018

Labels: Release-0-M64

Comment 27 by awhalley@google.com, Mar 2 2018

Cc: pelizzi@google.com
Project Member

Comment 28 by sheriffbot@chromium.org, Mar 7 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-64 M-65

Sign in to add a comment