Automatically adding ccs based on suspected regression changelists:

Swap `ALLOC_MULT' arguments (#51833). by apodtele@gmail.com - https://chromium.googlesource.com/chromium/src/third_party/freetype2/+/f0898b9259d4b3b99a1e720924683730dd36d3db

[base] Don't zero out allocated memory twice (#51816). by wl@gnu.org - https://chromium.googlesource.com/chromium/src/third_party/freetype2/+/bd28952e23bcd268a623ea5202e1cde4a92defe4

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@, could you ptal (FYI: we already cut M63 stable RC). Is this a real blocker?

Hmm, this seems skia related though I don't see anything skia related in the blamelist. The two suspected CLs are font related which are possibly relevant. 

hcm: could you help triage? Thanks!

We just saw this (and CF just closed it I see) in  issue 785803 .. it seems to be due to a recent change in Freetype and not something we can fix in Skia/Chrome.  AFAIK the right thing to do is have Werner on cc as we do here, mark external dependency (?)

trying to cc werner's other address.. perhaps security team can help with access to the CF report etc, I'm not a wizard of those things.

In the mean time, will paste more of the stack here:
	==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7fb2408a36a8 in round third_party/skia/src/jumper/SkJumper_vectors.h:440:41
#1 0x7fb2408a36a8 in store_a8_k third_party/skia/src/jumper/SkJumper_stages.cpp:880
#2 0x7fb2408a36a8 in sk_store_a8 third_party/skia/src/jumper/SkJumper_stages.cpp:877
#3 0x7fb240886e9f in sk_start_pipeline third_party/skia/src/jumper/SkJumper_stages.cpp:79:13
#4 0x7fb241156895 in operator() buildtools/third_party/libc++/trunk/include/functional:1916:12
#5 0x7fb241156895 in SkRasterPipelineBlitter::blitRect(int, int, int, int) third_party/skia/src/core/SkRasterPipelineBlitter.cpp:337
#6 0x7fb24077cf54 in blitrect third_party/skia/src/core/SkScan.cpp:25:14
#7 0x7fb24077cf54 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan.cpp:36
#8 0x7fb24077e86c in FillRect third_party/skia/src/core/SkScan.cpp:71:5
#9 0x7fb24077e86c in SkScan::FillRect(SkRect const&, SkRasterClip const&, SkBlitter*) third_party/skia/src/core/SkScan.cpp:113
#10 0x7fb240594fb5 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:814:21
#11 0x7fb24100ac0a in drawRect third_party/skia/src/core/SkDraw.h:42:15
#12 0x7fb24100ac0a in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195
#13 0x7fb24050a48f in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2029:27
#14 0x7fb2404fbef4 in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#15 0x7fb24059a9b5 in SkDraw::drawBitmapAsMask(SkBitmap const&, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:1206:15
#16 0x7fb24059c406 in SkDraw::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:1284:14
#17 0x7fb24100b87d in SkBitmapDevice::drawBitmap(SkBitmap const&, float, float, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:229:18
#18 0x7fb240515dea in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2303:27
#19 0x7fb24050247a in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
#20 0x7fb24154e7d9 in SkScalerContext_FreeType_Base::generateGlyphImage(FT_FaceRec_*, SkGlyph const&, SkMatrix const&) third_party/skia/src/ports/SkFontHost_FreeType_common.cpp:597:20
#21 0x7fb241542da7 in SkScalerContext_FreeType::generateImage(SkGlyph const&) third_party/skia/src/ports/SkFontHost_FreeType.cpp:1228:5
#22 0x7fb240771845 in SkScalerContext::getImage(SkGlyph const&) third_party/skia/src/core/SkScalerContext.cpp:511:9
#23 0x7fb2405b87ee in SkGlyphCache::findImage(SkGlyph const&) third_party/skia/src/core/SkGlyphCache.cpp:189:33
#24 0x7fb2405aa192 in getImageData third_party/skia/src/core/SkDraw.cpp:1483:49
#25 0x7fb2405aa192 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint, SkPoint) third_party/skia/src/core/SkDraw.cpp:1461
#26 0x7fb2405ab9c3 in SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, (SkPaint::Align)0, (SkAxisAlignment)2>::findAndPositionGlyph(char const**, SkPoint, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:374:17
#27 0x7fb2405a4d58 in void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding, char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int, SkPaint::Align, SkGlyphCache*, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:564:26
#28 0x7fb2405a2dec in SkDraw::drawPosText(char const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&, SkSurfaceProps const*) const third_party/skia/src/core/SkDraw.cpp:1629:5
#29 0x7fb24100e3dd in SkBitmapDevice::drawPosText(void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:363:18
#30 0x7fb2405846e9 in SkBaseDevice::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&, SkDrawFilter*) third_party/skia/src/core/SkDevice.cpp:165:19
#31 0x7fb240521f0d in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2553:23
#32 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#33 0x7fb2415db5f3 in SkColorSpaceXformCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkColorSpaceXformCanvas.cpp:136:18
#34 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#35 0x7fb24240451b in RasterWithFlags cc/paint/paint_op_buffer.cc:1177:11

Uninitialized value was stored to memory at
#0 0x7fb241559c54 in (anonymous namespace)::copyFTBitmap(FT_Bitmap_ const&, SkMask&) third_party/skia/src/ports/SkFontHost_FreeType_common.cpp:233:28
#1 0x7fb24154d0b0 in SkScalerContext_FreeType_Base::generateGlyphImage(FT_FaceRec_*, SkGlyph const&, SkMatrix const&) third_party/skia/src/ports/SkFontHost_FreeType_common.cpp:554:13
#2 0x7fb241542da7 in SkScalerContext_FreeType::generateImage(SkGlyph const&) third_party/skia/src/ports/SkFontHost_FreeType.cpp:1228:5
#3 0x7fb240771845 in SkScalerContext::getImage(SkGlyph const&) third_party/skia/src/core/SkScalerContext.cpp:511:9
#4 0x7fb2405b87ee in SkGlyphCache::findImage(SkGlyph const&) third_party/skia/src/core/SkGlyphCache.cpp:189:33
#5 0x7fb2405aa192 in getImageData third_party/skia/src/core/SkDraw.cpp:1483:49
#6 0x7fb2405aa192 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint, SkPoint) third_party/skia/src/core/SkDraw.cpp:1461
#7 0x7fb2405ab9c3 in SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, (SkPaint::Align)0, (SkAxisAlignment)2>::findAndPositionGlyph(char const**, SkPoint, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:374:17
#8 0x7fb2405a4d58 in void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding, char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int, SkPaint::Align, SkGlyphCache*, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:564:26
#9 0x7fb2405a2dec in SkDraw::drawPosText(char const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&, SkSurfaceProps const*) const third_party/skia/src/core/SkDraw.cpp:1629:5
#10 0x7fb24100e3dd in SkBitmapDevice::drawPosText(void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:363:18
#11 0x7fb2405846e9 in SkBaseDevice::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&, SkDrawFilter*) third_party/skia/src/core/SkDevice.cpp:165:19
#12 0x7fb240521f0d in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2553:23
#13 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#14 0x7fb2415db5f3 in SkColorSpaceXformCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkColorSpaceXformCanvas.cpp:136:18
#15 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#16 0x7fb24240451b in RasterWithFlags cc/paint/paint_op_buffer.cc:1177:11

Uninitialized value was stored to memory at
#0 0x7fb23505e625 in FT_Bitmap_Embolden third_party/freetype/src/src/base/ftbitmap.c:376:20
#1 0x7fb2415425f4 in SkScalerContext_FreeType::generateImage(SkGlyph const&) third_party/skia/src/ports/SkFontHost_FreeType.cpp:1219:5
#2 0x7fb240771845 in SkScalerContext::getImage(SkGlyph const&) third_party/skia/src/core/SkScalerContext.cpp:511:9
#3 0x7fb2405b87ee in SkGlyphCache::findImage(SkGlyph const&) third_party/skia/src/core/SkGlyphCache.cpp:189:33
#4 0x7fb2405aa192 in getImageData third_party/skia/src/core/SkDraw.cpp:1483:49
#5 0x7fb2405aa192 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint, SkPoint) third_party/skia/src/core/SkDraw.cpp:1461
#6 0x7fb2405ab9c3 in SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, (SkPaint::Align)0, (SkAxisAlignment)2>::findAndPositionGlyph(char const**, SkPoint, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:374:17
#7 0x7fb2405a4d58 in void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding, char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int, SkPaint::Align, SkGlyphCache*, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:564:26
#8 0x7fb2405a2dec in SkDraw::drawPosText(char const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&, SkSurfaceProps const*) const third_party/skia/src/core/SkDraw.cpp:1629:5
#9 0x7fb24100e3dd in SkBitmapDevice::drawPosText(void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:363:18
#10 0x7fb2405846e9 in SkBaseDevice::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&, SkDrawFilter*) third_party/skia/src/core/SkDevice.cpp:165:19
#11 0x7fb240521f0d in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2553:23
#12 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#13 0x7fb2415db5f3 in SkColorSpaceXformCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkColorSpaceXformCanvas.cpp:136:18
#14 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#15 0x7fb24240451b in RasterWithFlags cc/paint/paint_op_buffer.cc:1177:11

OK, seeing the report finally.  However, I still can't access the reproducer testcase...  Is it a font?  This is what I need for testing.

lemzwerg@ - they appear to be HTML files. I've sent them over by email.

Thanks.  However, this doesn't help me at all.  Can someone please debug the issue, sending me the name of the used font (Kochi Mincho, I guess), the used glyph, and the used PPEM size so that I can test this with FreeType tools?

That is the font..trying to get you the rest of the info you need

Ben is out but getting him (and Mike who looked at the similar issue previously) on cc

Attaching an SKP for reed@ to look at.  Also, I believe this is the root CF stack dump (pointing at the location where the uninitialized value was allocated):

Uninitialized value was created by a heap allocation
#0 0x7fb234ea376d in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:879:3
#1 0x7fb2404a9ffc in sk_malloc_throw(unsigned long) skia/ext/SkMemory_new_handler.cpp:64:66
#2 0x7fb235059805 in ft_mem_qrealloc third_party/freetype/src/src/base/ftutil.c:146:15
#3 0x7fb23505d6e4 in ft_bitmap_assure_buffer third_party/freetype/src/src/base/ftbitmap.c:229:10
#4 0x7fb23505d6e4 in FT_Bitmap_Embolden third_party/freetype/src/src/base/ftbitmap.c:338
#5 0x7fb2415425f4 in SkScalerContext_FreeType::generateImage(SkGlyph const&) third_party/skia/src/ports/SkFontHost_FreeType.cpp:1219:5
#6 0x7fb240771845 in SkScalerContext::getImage(SkGlyph const&) third_party/skia/src/core/SkScalerContext.cpp:511:9
#7 0x7fb2405b87ee in SkGlyphCache::findImage(SkGlyph const&) third_party/skia/src/core/SkGlyphCache.cpp:189:33
#8 0x7fb2405aa192 in getImageData third_party/skia/src/core/SkDraw.cpp:1483:49
#9 0x7fb2405aa192 in DrawOneGlyph::operator()(SkGlyph const&, SkPoint, SkPoint) third_party/skia/src/core/SkDraw.cpp:1461
#10 0x7fb2405ab9c3 in SkFindAndPlaceGlyph::GlyphFindAndPlaceSubpixel<DrawOneGlyph&, (SkPaint::Align)0, (SkAxisAlignment)2>::findAndPositionGlyph(char const**, SkPoint, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:374:17
#11 0x7fb2405a4d58 in void SkFindAndPlaceGlyph::ProcessPosText<DrawOneGlyph&>(SkPaint::TextEncoding, char const*, unsigned long, SkPoint, SkMatrix const&, float const*, int, SkPaint::Align, SkGlyphCache*, DrawOneGlyph&) third_party/skia/src/core/SkFindAndPlaceGlyph.h:564:26
#12 0x7fb2405a2dec in SkDraw::drawPosText(char const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&, SkSurfaceProps const*) const third_party/skia/src/core/SkDraw.cpp:1629:5
#13 0x7fb24100e3dd in SkBitmapDevice::drawPosText(void const*, unsigned long, float const*, int, SkPoint const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:363:18
#14 0x7fb2405846e9 in SkBaseDevice::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&, SkDrawFilter*) third_party/skia/src/core/SkDevice.cpp:165:19
#15 0x7fb240521f0d in SkCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2553:23
#16 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#17 0x7fb2415db5f3 in SkColorSpaceXformCanvas::onDrawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkColorSpaceXformCanvas.cpp:136:18
#18 0x7fb2405257a6 in SkCanvas::drawTextBlob(SkTextBlob const*, float, float, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2610:11
#19 0x7fb24240451b in RasterWithFlags cc/paint/paint_op_buffer.cc:1177:11
#20 0x7fb24240451b in RasterWithFlags cc/paint/paint_op_buffer.cc:94
#21 0x7fb24240451b in operator() cc/paint/paint_op_buffer.cc:129
#22 0x7fb24240451b in cc::$_42::__invoke(cc::PaintOp const*, cc::PaintFlags const*, SkCanvas*, cc::PlaybackParams const&) cc/paint/paint_op_buffer.cc:129
#23 0x7fb2423fdef4 in RasterWithFlags cc/paint/paint_op_buffer.cc:1833:3
#24 0x7fb2423fdef4 in cc::PaintOpBuffer::Playback(SkCanvas*, cc::ImageProvider*, SkPicture::AbortCallback*, std::__1::vector<unsigned long, std::__1::allocator<unsigned long> > const*) const cc/paint/paint_op_buffer.cc:2174
#25 0x7fb2423fdafe in Raster cc/paint/paint_op_buffer.cc:1654:3
#26 0x7fb2423fdafe in cc::PaintOpBuffer::Playback(SkCanvas*, cc::ImageProvider*, SkPicture::AbortCallback*, std::__1::vector<unsigned long, std::__1::allocator<unsigned long> > const*) const cc/paint/paint_op_buffer.cc:2183

Deleted: layer_0.skp 590 bytes

layer_0.skp 590 bytes Download

Should be fixed now in git.

Thanks Werner!

@drott can you roll FT or cherry-pick http://git.savannah.nongnu.org/cgit/freetype/freetype2.git/commit/?id=e1090c608b72dcfc1899c33974acd056e120aa53 for this issue?

CL up in https://chromium-review.googlesource.com/c/chromium/src/+/817419

ClusterFuzz has detected this issue as fixed in range 523421:523429.

Detailed report: https://clusterfuzz.com/testcase?key=4993724299083776

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sk_store_a8
  sk_start_pipeline
  SkScan::FillIRect
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=503435:503455
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=523421:523429

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4993724299083776

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4993724299083776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Mike is this the same as:
https://bugs.chromium.org/p/chromium/issues/detail?id=794406

Or is this a different bug. It look like it was verified fixed by ClusterFuzz already.

 crbug.com/794523  may also be related.

This and 794406 are completely unrelated.  This was a bug in FreeType, fixed in Freetype.  794406 was a bug in one of our color filters.

I have not yet looked at 794523.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot