NULL Deref in Sprite_D32_S32A_Xfer::blitRect in filter_fuzz_stub |
||||
Issue description
This was found by AFL and MSAN using a corpus built by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).
REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_msan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true
2. Run it on the attached testcase (ffs-blitRect):
$ ./out/skmsan/filter_fuzz_stub ffs-blitRect
[0109/100522.517356:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-blitRect
[0109/100522.573591:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
MemorySanitizer:DEADLYSIGNAL
==70625==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000130870e bp 0x7fff2726e3e0 sp 0x7fff2726e330 T70625)
==70625==The signal is caused by a READ memory access.
==70625==Hint: address points to the zero page.
#0 0x130870d in Sprite_D32_S32A_Xfer::blitRect(int, int, int, int) third_party/skia/src/core/SkSpriteBlitter_ARGB32.cpp
#1 0xbf73f4 in blitrect third_party/skia/src/core/SkScan.cpp:25:14
#2 0xbf73f4 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan.cpp:36
#3 0xa4f344 in SkDraw::drawSprite(SkBitmap const&, int, int, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:1326:13
#4 0x114d14f in SkBitmapDevice::drawSprite(SkBitmap const&, int, int, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:353:18
#5 0x11502e5 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:435:19
#6 0x9a0960 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#7 0x999178 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#8 0x9bc059 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:495:22
#9 0x9bc059 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2025
#10 0x9adad1 in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#11 0x1425c64 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
#12 0xa720ca in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
#13 0x114f067 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
#14 0x9a0960 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#15 0x999178 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#16 0x9c81ed in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:495:22
#17 0x9c81ed in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308
#18 0x9b40fa in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
#19 0x49600e in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
#20 0x49600e in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
#21 0x49600e in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
#22 0x7f41ca991f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#23 0x4243c9 in _start (/usr/local/google/home/metzman/chromium1/src/out/skmsan/filter_fuzz_stub+0x4243c9)
MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV third_party/skia/src/core/SkSpriteBlitter_ARGB32.cpp in Sprite_D32_S32A_Xfer::blitRect(int, int, int, int)
==70625==ABORTING
,
Jan 9 2018
Detailed report: https://clusterfuzz.com/testcase?key=4606081539244032 Job Type: linux_msan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: Sprite_D32_S32A_Xfer::blitRect SkScan::FillIRect SkDraw::drawSprite Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522280:522310 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4606081539244032 See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 20 2018
ClusterFuzz has detected this issue as fixed in range 530569:530573. Detailed report: https://clusterfuzz.com/testcase?key=4606081539244032 Job Type: linux_msan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: Sprite_D32_S32A_Xfer::blitRect SkScan::FillIRect SkDraw::drawSprite Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522280:522310 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=530569:530573 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4606081539244032 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 20 2018
ClusterFuzz testcase 4606081539244032 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 22 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Jan 9 2018