Null-dereference READ in sk_sp<SkTextBlob>::get |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6018924067160064 Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: sk_sp<SkTextBlob>::get () paint_op_buffer_eq_fuzzer.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=523883:523911 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6018924067160064 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Dec 14 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7273cfe05dcb33f6abb7626457b5b6d36cbea31c (oop: Use TransferCache for PaintTypeface serialization and transport.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Dec 14 2017
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/af62bb3aab9dd4292ae34750b4e6ca60dd0f032f commit af62bb3aab9dd4292ae34750b4e6ca60dd0f032f Author: Vladimir Levin <vmpstr@chromium.org> Date: Thu Dec 14 19:58:40 2017 oop: Fix nullptr dereference in a fuzz test case. This patch does two things: - Binds the test context to the thread, avoiding a dcheck - Ensures to mark the reader as invalid if we couldn't read textblob data R=ericrk@chromium.org Bug: 794921 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel Change-Id: I1cdf8a0c5571587b0d3a66f1a25d99ed5e3daed9 Reviewed-on: https://chromium-review.googlesource.com/827506 Reviewed-by: Eric Karl <ericrk@chromium.org> Commit-Queue: vmpstr <vmpstr@chromium.org> Cr-Commit-Position: refs/heads/master@{#524152} [modify] https://crrev.com/af62bb3aab9dd4292ae34750b4e6ca60dd0f032f/cc/paint/paint_op_buffer_fuzzer.cc [modify] https://crrev.com/af62bb3aab9dd4292ae34750b4e6ca60dd0f032f/cc/paint/paint_op_reader.cc
,
Dec 14 2017
,
Dec 15 2017
ClusterFuzz has detected this issue as fixed in range 524141:524160. Detailed report: https://clusterfuzz.com/testcase?key=6018924067160064 Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: sk_sp<SkTextBlob>::get () paint_op_buffer_eq_fuzzer.cc Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=523883:523911 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=524141:524160 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6018924067160064 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 15 2017
ClusterFuzz testcase 6018924067160064 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Dec 14 2017Labels: Test-Predator-Auto-Components