New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800450 link

Starred by 1 user
Status: Fixed
Owner:
ericrk@chromium.org
Closed: Jan 2018
Cc:
brajkumar@chromium.org
enne@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in SkCanvas::getTotalMatrix

Project Member Reported by ClusterFuzz, Jan 9 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4874052736122880

Fuzzer: afl_paint_op_buffer_eq_fuzzer
Job Type: afl_chrome_asan
Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  SkCanvas::getTotalMatrix
  cc::DrawImageOp::Serialize
  cc::PaintOp::Serialize
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4874052736122880

Issue manually filed by: metzman

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by brajkumar@chromium.org, Jan 10 2018

Cc: brajkumar@chromium.org
Components: Blink>Canvas
Labels: Test-Predator-Wrong
Owner: enne@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "paint_op_buffer.cc" and observed there was some changes for the below file.

Suspect CL: https://chromium.googlesource.com/chromium/src/+/5b040f683487f9eb386d8b5a8b71ee4ad1266c5e%5E%21/cc/paint/paint_op_buffer.cc

enne@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 2 by junov@chromium.org, Jan 10 2018

Components: -Blink>Canvas Blink>Paint

Comment 3 by enne@chromium.org, Jan 10 2018

Cc: enne@chromium.org
Labels: -Pri-1 Pri-2
Owner: ericrk@chromium.org
https://chromium-review.googlesource.com/c/chromium/src/+/860871 fixes the canvas null issue, but the image op itself serializes with a null image.  Maybe we need to have a fake image provider?

Comment 4 by schenney@chromium.org, Jan 10 2018

Components: -Blink>Paint Internals>Compositing
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8738071e484555f67be9c1ea8b04d399e62a4999

commit 8738071e484555f67be9c1ea8b04d399e62a4999
Author: Adrienne Walker <enne@chromium.org>
Date: Thu Jan 11 19:15:13 2018

cc: PaintOp serialization requires a canvas

Fix paint_op_buffer_eq_fuzzer to have this canvas and clarify this
requirement in comments.

Bug:  800450 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
Change-Id: Id93bd4b548bb8b50c0b3cd4cd214bbb79aeef264
Reviewed-on: https://chromium-review.googlesource.com/860871
Reviewed-by: Eric Karl <ericrk@chromium.org>
Commit-Queue: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528702}
[modify] https://crrev.com/8738071e484555f67be9c1ea8b04d399e62a4999/cc/paint/paint_op_buffer.cc
[modify] https://crrev.com/8738071e484555f67be9c1ea8b04d399e62a4999/cc/paint/paint_op_buffer.h
[modify] https://crrev.com/8738071e484555f67be9c1ea8b04d399e62a4999/cc/paint/paint_op_buffer_eq_fuzzer.cc

Comment 6 by ericrk@chromium.org, Jan 12 2018

Status: Fixed (was: Assigned)

Sign in to add a comment