Null-dereference READ in SkImageFilter::filterBounds |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5340219644837888 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: SkImageFilter::filterBounds cc::MapRectInternal cc::FilterOperations::MapRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518507:518540 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5340219644837888 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 11 2017
Using the provided regression range assigning to the possible suspect as per the change made for the file, “filter_operations.cc” Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/7865b5be0f6472b14ed7a30bc7e41896a8ec9e6e @khushalsagar -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thanks!
,
Dec 21 2017
Its this case in SkTileImageFilter (https://cs.chromium.org/chromium/src/third_party/skia/src/effects/SkTileImageFilter.cpp?sq=package:chromium&l=27). Looks like skia has checks in each of its factory methods which can return a null filter but cc still creates a PaintFilter with it. Clusterfuzz will keep finding cases like this. I think we'll have to switch PaintFilters to provide factory methods as well, which fail if the internal skia filter can't be created.
,
Jan 19 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jan 19 2018
This needs to be fixed in cc/paint.
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f8a9b60fb47c743d4f3e39a1135e29d3199d13bd commit f8a9b60fb47c743d4f3e39a1135e29d3199d13bd Author: Khushal <khushalsagar@chromium.org> Date: Sat Jan 20 03:51:12 2018 cc/paint: Handle invalid PaintFilters. If the inputs to a PaintFilter invalid, we can fail to create the corresponding skia filter. Null check before de-referencing it. R=enne@chromium.org Bug: 793410 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Change-Id: I17c29abce676a4eb871b068d393faa0b09e762f3 Reviewed-on: https://chromium-review.googlesource.com/877385 Reviewed-by: enne <enne@chromium.org> Commit-Queue: Khushal <khushalsagar@chromium.org> Cr-Commit-Position: refs/heads/master@{#530746} [modify] https://crrev.com/f8a9b60fb47c743d4f3e39a1135e29d3199d13bd/cc/paint/paint_filter.h
,
Jan 20 2018
ClusterFuzz has detected this issue as fixed in range 530745:530746. Detailed report: https://clusterfuzz.com/testcase?key=5340219644837888 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: SkImageFilter::filterBounds cc::MapRectInternal cc::FilterOperations::MapRect Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518507:518540 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=530745:530746 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5340219644837888 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2018
ClusterFuzz testcase 5340219644837888 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Dec 8 2017