UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Steps to reproduce the problem:
1. download https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-release-527924.zip?generation=1515484072672730&alt=media
2. run ./filter_fuzz_stub poc 

What is the expected behavior?

What went wrong?
The input data check is not strict enough

Did this work before? N/A 

Chrome version: latest build of filter_fuzz_stub  Channel: n/a
OS Version: 16.04
Flash Version: 

ASAN

yangkang@360:~/data/tmp/asan-linux-release-527924$ ./filter_fuzz_stub ./poc 
[0109/160217.395103:INFO:filter_fuzz_stub.cc(61)] Test case: ./poc
[0109/160217.396481:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25825==ERROR: AddressSanitizer: SEGV on unknown address 0x62908001c780 (pc 0x000000d4432c bp 0x7fff5c28ce90 sp 0x7fff5c28ce48 T0)
==25825==The signal is caused by a READ memory access.
    #0 0xd4432b in _sk_lerp_u8_sse2 (/mnt/data/tmp/asan-linux-release-527924/filter_fuzz_stub+0xd4432b)
    #1 0xb7397a in operator() buildtools/third_party/libc++/trunk/include/functional:1916:12
    #2 0xb7397a in SkRasterPipelineBlitter::blitMask(SkMask const&, SkIRect const&) third_party/skia/src/core/SkRasterPipelineBlitter.cpp:482
    #3 0xa4d754 in SkBlitter::blitMaskRegion(SkMask const&, SkRegion const&) third_party/skia/src/core/SkBlitter.cpp:323:15
    #4 0xa24f1e in SkDraw::drawDevMask(SkMask const&, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:865:14
    #5 0xa266f2 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const third_party/skia/src/core/SkDraw.cpp:1119:19
    #6 0xa2490e in drawPath third_party/skia/src/core/SkDraw.h:56:15
    #7 0xa2490e in draw_rect_as_path(SkDraw const&, SkRect const&, SkPaint const&, SkMatrix const*) third_party/skia/src/core/SkDraw.cpp:733
    #8 0xa23785 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:760:9
    #9 0x9d361c in drawRect third_party/skia/src/core/SkDraw.h:42:15
    #10 0x9d361c in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195
    #11 0x9ba219 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2029:27
    #12 0x9b056f in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
    #13 0xe3d489 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
    #14 0xa78ec9 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
    #15 0x9d6c5b in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #16 0x9a72aa in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
    #17 0x9a235f in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
    #18 0x9c1f44 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:495:22
    #19 0x9c1f44 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308
    #20 0x9b4def in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
    #21 0x62e3bc in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #22 0x62e3bc in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
    #23 0x62e3bc in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
    #24 0x7fd191be382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/mnt/data/tmp/asan-linux-release-527924/filter_fuzz_stub+0xd4432b) in _sk_lerp_u8_sse2
==25825==ABORTING

Debug

Breakpoint 2, SkPixmap::reset (this=0xffff9c60, info=..., addr=0x81f0010, rowBytes=0xffffff00) at ../../src/third_party/skia/src/core/SkPixmap.cpp:34
34	        SkASSERT(info.validRowBytes(rowBytes));
$15 = (const SkImageInfo &) @0xffff9b10: {fColorSpace = {fPtr = 0x0}, fWidth = 0xffffff00, fHeight = 0xffffff00, fColorType = kAlpha_8_SkColorType, fAlphaType = kPremul_SkAlphaType}

Breakpoint 2, operator() (this=0xffff9ab8) at ../../src/third_party/skia/src/core/SkPixmap.cpp:34
34	        SkASSERT(info.validRowBytes(rowBytes));

[0109/151025.169124:INFO:SkPixmap.cpp(34)] ../../src/third_party/skia/src/core/SkPixmap.cpp:34: fatal error: "assert(info.validRowBytes(rowBytes))"

gdb$ next

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0xFFFF9400  EBX: 0x00000000  ECX: 0xFFFF8740  EDX: 0xF7395144  o d I t s Z a P c 
  ESI: 0x881F7F90  EDI: 0x00000000  EBP: 0xFFFF8608  ESP: 0xFFFF85F0  EIP: 0xF739515F
  CS: 0023  DS: 002B  ES: 002B  FS: 0000  GS: 0063  SS: 002B
--------------------------------------------------------------------------[code]
=> 0xf739515f <_sk_lerp_u8_sse2+41>:	movd   xmm4,DWORD PTR [esi+edi*1]
   0xf7395164 <_sk_lerp_u8_sse2+46>:	punpcklbw xmm4,xmm0
   0xf7395168 <_sk_lerp_u8_sse2+50>:	punpcklwd xmm4,xmm0
   0xf739516c <_sk_lerp_u8_sse2+54>:	pand   xmm4,XMMWORD PTR [edx+0xd5fc]
   0xf7395174 <_sk_lerp_u8_sse2+62>:	cvtdq2ps xmm4,xmm4
   0xf7395177 <_sk_lerp_u8_sse2+65>:	mulps  xmm4,XMMWORD PTR [edx+0xd73c]
   0xf739517e <_sk_lerp_u8_sse2+72>:	movaps xmm5,XMMWORD PTR [ecx+0x10]
   0xf7395182 <_sk_lerp_u8_sse2+76>:	movaps xmm6,XMMWORD PTR [ecx+0x20]
--------------------------------------------------------------------------------
0xf739515f in _sk_lerp_u8_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
82	    bool isValid() const { return fConfig != kUnknown_GrPixelConfig; }

gdb$ bt
#0  0xf739515f in _sk_lerp_u8_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#1  0xf7397b49 in _sk_load_bgra_dst_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#2  0xf739484f in _sk_premul_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#3  0xf73946b3 in _sk_clamp_1_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#4  0xf7399191 in _sk_matrix_4x5_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#5  0xf73948cd in _sk_unpremul_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#6  0xf7394f09 in _sk_scale_1_float_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#7  0xf739a166 in _sk_callback_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#8  0xf73927a0 in _sk_seed_shader_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#9  0xf73926ee in _sk_start_pipeline_sse2 () at ../../src/third_party/skia/include/gpu/GrBackendSurface.h:82
#10 0xf7336f9c in operator() (this=0xffff92a4, x=0x0, y=0x0, w=0x9, h=0x18) at ../../src/third_party/skia/src/jumper/SkJumper.cpp:497
#11 0xf7336ed9 in (anonymous namespace)::(anonymous namespace)::__invoke<(lambda at ../../src/third_party/skia/src/jumper/SkJumper.cpp:496:12) &, unsigned int, unsigned int, unsigned int, unsigned int> (__f=..., __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcf0d>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcf0d>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcf0d>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcf0d>) at ../../src/buildtools/third_party/libc++/trunk/include/type_traits:4323
#12 (anonymous namespace)::(anonymous namespace)::__invoke_void_return_wrapper<void>::__call<(lambda at ../../src/third_party/skia/src/jumper/SkJumper.cpp:496:12) &, unsigned int, unsigned int, unsigned int, unsigned int>(class {...} &, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce29>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce36>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce43>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>) (__args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>, __args=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xce50>) at ../../src/buildtools/third_party/libc++/trunk/include/__functional_base:349
#13 0xf7336c33 in (anonymous namespace)::(anonymous namespace)::(anonymous namespace)::__func<(lambda at ../../src/third_party/skia/src/jumper/SkJumper.cpp:496:12), std::__1::allocator<(lambda at ../../src/third_party/skia/src/jumper/SkJumper.cpp:496:12)>, void (unsigned int, unsigned int, unsigned int, unsigned int)>::operator()(<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc19>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc26>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc33>, <unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc40>) (this=0xffff92a0, __arg=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc40>, __arg=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc40>, __arg=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc40>, __arg=<unknown type in /mnt/data/repo/chromium/out/debug_x86/./libskia.so, CU 0x0, DIE 0xcc40>) at ../../src/buildtools/third_party/libc++/trunk/include/functional:1562
#14 0xf7168c0a in (anonymous namespace)::(anonymous namespace)::function<void (unsigned int, unsigned int, unsigned int, unsigned int)>::operator()(unsigned int, unsigned int, unsigned int, unsigned int) const (this=0xffff92a0, __arg=0x18, __arg=0x18, __arg=0x18, __arg=0x18) at ../../src/buildtools/third_party/libc++/trunk/include/functional:1916
#15 0xf7166db3 in SkRasterPipelineBlitter::blitMask (this=0xffff9208, mask=..., clip=...) at ../../src/third_party/skia/src/core/SkRasterPipelineBlitter.cpp:482
#16 0xf6f75932 in SkBlitter::blitMaskRegion (this=0xffff9208, mask=..., clip=...) at ../../src/third_party/skia/src/core/SkBlitter.cpp:323
#17 0xf7011065 in SkDraw::drawDevMask (this=0xffff9fc8, srcM=..., paint=...) at ../../src/third_party/skia/src/core/SkDraw.cpp:865
#18 0xf701247f in SkDraw::drawPath (this=0xffff9fc8, origSrcPath=..., origPaint=..., prePathMatrix=0x50ff8001, pathIsMutable=0x1, drawCoverage=0x0, customBlitter=0x0) at ../../src/third_party/skia/src/core/SkDraw.cpp:1119
#19 0xf6f605a3 in SkDraw::drawPath (this=0xffff9fc8, path=..., paint=..., prePathMatrix=0x0, pathIsMutable=0x1) at ../../src/third_party/skia/src/core/SkDraw.h:56
#20 0xf7010c37 in draw_rect_as_path (orig=..., prePaintRect=..., paint=..., matrix=0x819d03c) at ../../src/third_party/skia/src/core/SkDraw.cpp:733
#21 0xf70102dc in SkDraw::drawRect (this=0xffffafd8, prePaintRect=..., paint=..., paintMatrix=0x0, postPaintRect=0x0) at ../../src/third_party/skia/src/core/SkDraw.cpp:760
#22 0xf6f604ec in SkDraw::drawRect (this=0xffffafd8, rect=..., paint=...) at ../../src/third_party/skia/src/core/SkDraw.h:42
#23 0xf6f5ca44 in SkBitmapDevice::drawRect (this=0x819d010, r=..., paint=...) at ../../src/third_party/skia/src/core/SkBitmapDevice.cpp:195
#24 0xf6fa3135 in SkCanvas::onDrawRect (this=0x81c8410, r=..., paint=...) at ../../src/third_party/skia/src/core/SkCanvas.cpp:2029
#25 0xf6f9f946 in SkCanvas::drawRect (this=0x81c8410, r=..., paint=...) at ../../src/third_party/skia/src/core/SkCanvas.cpp:1710
#26 0xf74045a3 in SkPaintImageFilter::onFilterImage (this=0x81eaf10, source=0x81ebe80, ctx=..., offset=0xffffb870) at ../../src/third_party/skia/src/effects/SkPaintImageFilter.cpp:66
#27 0xf70657ca in SkImageFilter::filterImage (this=0x81eaf10, src=0x81ebe80, context=..., offset=0xffffb870) at ../../src/third_party/skia/src/core/SkImageFilter.cpp:213
#28 0xf6f5dd97 in SkBitmapDevice::drawSpecial (this=0x819e690, src=0x81ebe80, x=0x0, y=0x0, origPaint=..., clipImage=0x0, clipMatrix=...) at ../../src/third_party/skia/src/core/SkBitmapDevice.cpp:421
#29 0xf6f9bf17 in SkCanvas::internalDrawDevice (this=0xffffc3b8, srcDev=0x819eb10, x=0x0, y=0x0, paint=0x81bdd30, clipImage=0x0, clipMatrix=...) at ../../src/third_party/skia/src/core/SkCanvas.cpp:1313
#30 0xf6f99084 in SkCanvas::internalRestore (this=0xffffc3b8) at ../../src/third_party/skia/src/core/SkCanvas.cpp:1201
#31 0xf6facf1b in AutoDrawLooper::~AutoDrawLooper (this=0xffffbd08) at ../../src/third_party/skia/src/core/SkCanvas.cpp:495
#32 0xf6fa542d in SkCanvas::onDrawBitmap (this=0xffffc3b8, bitmap=..., x=0, y=0, paint=0xffffc0f0) at ../../src/third_party/skia/src/core/SkCanvas.cpp:2308
#33 0xf6fa1337 in SkCanvas::drawBitmap (this=0xffffc3b8, bitmap=..., dx=0, dy=0, paint=0xffffc0f0) at ../../src/third_party/skia/src/core/SkCanvas.cpp:1831
#34 0x0804e2ae in (anonymous namespace)::RunTestCase (ipc_filter_message=..., bitmap=..., canvas=0xffffc3b8) at ../../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48
#35 0x0804d948 in (anonymous namespace)::ReadAndRunTestCase (filename=0xffffd745 "./id:000325,sig:06,src:006706,op:ext_AO,pos:368", bitmap=..., canvas=0xffffc3b8) at ../../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#36 0x0804d690 in main (argc=0x2, argv=0xffffd5e4) at ../../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:91
 

Deleted: poc 560 bytes

poc 560 bytes View Download