Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

use 64bit math to compute is a rect is empty by reed@google.com - https://skia.googlesource.com/skia/+/a766ca9af12e1175cfb01f4b516802da9197ba78

restore intersect methods to use old-style empty-checks on their inputs by reed@google.com - https://skia.googlesource.com/skia/+/d284949b595e2d7c6c6901c5b49e822a02a4d79f

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Inside ReadAlphaThresholdPaintFilter...

  for (size_t i = 0; i < region_size; ++i) {
    SkIRect rect;
    ReadSimple(&rect);
    region.op(rect, SkRegion::kUnion_Op);
  }

If the call to ReadSimple(&rect) fails (i.e. runs out of input), can rect be uninitialized? If so, that could cause this failure.

BTW -- SkRegion has a fuzzed method to flatten/unflatten itself, which may be simpler/more efficient than this loop. See writeToMemory/readFromMemory.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b96fe2c785614148dc61cebe1a9f2df23d456a6f

commit b96fe2c785614148dc61cebe1a9f2df23d456a6f
Author: Vladimir Levin <vmpstr@chromium.org>
Date: Wed Jan 17 20:43:47 2018

oop: Serialize SkRegion using its write/read memory functions.

This patch serializes SkRegion using writeToMemory and readFromMemory
that are provided by SkRegion.

R=enne@chromium.org, reed@chromium.org

Bug:  801789 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
Change-Id: I3c9231e972d7f3934dba41c6f8eeb52a24bd5fe6
Reviewed-on: https://chromium-review.googlesource.com/871039
Reviewed-by: enne <enne@chromium.org>
Commit-Queue: vmpstr <vmpstr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529877}
[modify] https://crrev.com/b96fe2c785614148dc61cebe1a9f2df23d456a6f/cc/paint/paint_op_reader.cc
[modify] https://crrev.com/b96fe2c785614148dc61cebe1a9f2df23d456a6f/cc/paint/paint_op_reader.h
[modify] https://crrev.com/b96fe2c785614148dc61cebe1a9f2df23d456a6f/cc/paint/paint_op_writer.cc
[modify] https://crrev.com/b96fe2c785614148dc61cebe1a9f2df23d456a6f/cc/paint/paint_op_writer.h

ClusterFuzz has detected this issue as fixed in range 529850:529892.

Detailed report: https://clusterfuzz.com/testcase?key=5145940506968064

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  SkIRect::isEmpty
  SkRegion::setRect
  SkRegion::op
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=528689:528701
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=529850:529892

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5145940506968064

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5145940506968064 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot