This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A few Skia rolls in the regression range, and one change (crrev.com/519831) that causes Chrome to use Skia differently.

I believe this first came in as  Issue 789812 , and the regressing CL was reverted. Now that it has relanded, the bug is back.

This seems to be a wholly different bug. I will reproduce it locally. 

The CL https://skia-review.googlesource.com/79401 fixed the original bug.

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/72b4e07e44353892b5972379d6e98c7334e8fe14

commit 72b4e07e44353892b5972379d6e98c7334e8fe14
Author: Herb Derby <herb@google.com>
Date: Tue Dec 12 22:03:39 2017

Handle small sigma in one direction

Because GPU/CPU must interoperate, the border calculation
code adds transparent black border pixels for sigmas
that produce a window of 1. This is a very rare case
and seems to only happen in fuzzers. In this case
cleare everything to black before bluring.

BUG= chromium:793285 

Change-Id: I2b56f9ad88304abaa2669c9c9ef69b5443ba4333
Reviewed-on: https://skia-review.googlesource.com/83562
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Herb Derby <herb@google.com>

[modify] https://crrev.com/72b4e07e44353892b5972379d6e98c7334e8fe14/src/core/SkBlurImageFilter.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/142124b87c6b43005c38d9789e2aa668825b4a9c

commit 142124b87c6b43005c38d9789e2aa668825b4a9c
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Wed Dec 13 00:56:47 2017

Roll src/third_party/skia/ aeff9eaa1..106e17aa3 (3 commits)

https://skia.googlesource.com/skia.git/+log/aeff9eaa1903..106e17aa38c9

$ git log aeff9eaa1..106e17aa3 --date=short --no-merges --format='%ad %ae %s'
2017-12-12 mtklein JUMPER_IS_AVX2 -> JUMPER_IS_HSW
2017-12-12 rmistry Store skiaserve binary in GS from Release Android compile bots
2017-12-11 herb Handle small sigma in one direction

Created with:
  roll-dep src/third_party/skia
BUG= 793285 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=liyuqian@chromium.org

Change-Id: I63b183b3cf074966faf9f803ef04b0465bb343af
Reviewed-on: https://chromium-review.googlesource.com/823249
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523633}
[modify] https://crrev.com/142124b87c6b43005c38d9789e2aa668825b4a9c/DEPS

ClusterFuzz has detected this issue as fixed in range 523623:523651.

Detailed report: https://clusterfuzz.com/testcase?key=5000116217053184

Fuzzer: attekett_surku_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sse41::blit_row_s32a_opaque
  Sprite_D32_S32::blitRect
  SkScan::FillIRect
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=519805:519843
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=523623:523651

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5000116217053184

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5000116217053184 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 794523  has been merged into this issue.

+awhalley@ - Approving merge to M64. Branch:3282

The flag flip that triggered this bug was on Dec. 5th. This is not a problem in M64, only in M65. And it is already fixed in M65.

Thanks!

(found by internal fuzzers within window)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot