NULL deref (read) in SkPicturePlayback |
||||
Issue description
My skia_image_filter_proto_fuzzer (I've called it filter_proto_fuzzer before) found this.
REPRODUCTION CASE
1. Build filter_fuzz_stub with these arguments:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
pdf_enable_xfa = true
proprietary_codecs = true
use_goma = true
is_debug = false
is_asan = true
optimize_for_fuzzing=true
2. Run it on the attached input (ffs-picture-playback)
filter_fuzz_stub will also crash on the attached input if built with no sanitizers at all.
Here is the stacktrace I get from running an ASAN build of filter_fuzz_stub on the input
$ ./out/skia/filter_fuzz_stub ffs-picture-playback
[1208/095536.167358:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-picture-playback
AddressSanitizer:DEADLYSIGNAL
=================================================================
==94355==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000adf2f4 bp 0x7ffcf7f64d70 sp 0x7ffcf7f64c80 T0)
==94355==The signal is caused by a READ memory access.
==94355==Hint: address points to the zero page.
#0 0xadf2f3 in size third_party/skia/include/core/SkData.h:27:34
#1 0xadf2f3 in SkPicturePlayback::draw(SkCanvas*, SkPicture::AbortCallback*, SkReadBuffer*) third_party/skia/src/core/SkPicturePlayback.cpp:93
#2 0xac4c9b in Forwardport third_party/skia/src/core/SkPicture.cpp:129:14
#3 0xac4c9b in SkPicture::MakeFromBuffer(SkReadBuffer&) third_party/skia/src/core/SkPicture.cpp:192
#4 0xde514a in SkPictureImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPictureImageFilter.cpp:63:23
#5 0xb08424 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:446:15
#6 0x9fcaa1 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:145:40
#7 0x9fcd69 in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17
#8 0x5d73c0 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
#9 0x5d73c0 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#10 0x5d73c0 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#11 0x7f246c631f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/include/core/SkData.h:27:34 in size
==94355==ABORTING
,
Dec 9 2017
Detailed report: https://clusterfuzz.com/testcase?key=5820331758714880 Job Type: linux_asan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: SkPicturePlayback::draw SkPicture::MakeFromBuffer SkPictureImageFilter::CreateProc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5820331758714880 See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 4 2018
ClusterFuzz has detected this issue as fixed in range 526815:526830. Detailed report: https://clusterfuzz.com/testcase?key=5820331758714880 Job Type: linux_asan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: SkPicturePlayback::draw SkPicture::MakeFromBuffer SkPictureImageFilter::CreateProc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=526815:526830 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5820331758714880 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 4 2018
ClusterFuzz testcase 5820331758714880 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 22 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 8 2017