New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 789896 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in paint_op_buffer_eq_fuzzer

Project Member Reported by ClusterFuzz, Nov 30 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5101397384364032

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  paint_op_buffer_eq_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=520300:520355

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5101397384364032

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Cc: msrchandra@chromium.org pnangunoori@chromium.org
Components: Infra>Git
Labels: M-64 Test-Predator-Wrong
Owner: enne@chromium.org
Status: Assigned (was: Untriaged)
As per the  Issue 756727  owner, assigning this issue to @enne.
@enne -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thanks.

Comment 2 by enne@chromium.org, Dec 1 2017

Cc: bsalomon@chromium.org vmp...@chromium.org
Components: -Infra>Git Internals>Skia
Labels: -M-64
This looks like SkTextBlobBuilder::allocInternal is allocating some arbitrary amount of data (glyphCount is very large).  This code could be patched to not allocate any more than the read buffer could possibly hold, but this also could be a WontFix.
Cc: reed@chromium.org

Comment 4 by reed@google.com, Dec 1 2017

Owner: fmalita@chromium.org
Project Member

Comment 5 by ClusterFuzz, Dec 2 2017

ClusterFuzz has detected this issue as fixed in range 520961:520991.

Detailed report: https://clusterfuzz.com/testcase?key=5101397384364032

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  paint_op_buffer_eq_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=520300:520355
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=520961:520991

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5101397384364032

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Dec 2 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5101397384364032 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment