Issue 803363 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 786133
Owner:	----
Closed:	Jan 2018
Cc:	kjlubick@chromium.org kjlubick@google.com
Components:	Internals>Skia
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug-Security
allpublic Via-Wizard-Security

SEGV on unknown address 0x000000000000

Reported by zhunkib...@gmail.com, Jan 18 2018

Issue description

UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

Steps to reproduce the problem:
Steps to reproduce the problem:
1. build latest code of filter_fuzz_stub with following gn flags:
is_debug = false
is_asan=true
(ninja -C buildir skia:filter_fuzz_stub)
2. Run filter_fuzz_stub with attached file:
./filter_fuzz_stub  poc.fil
[0118/164402.217371:INFO:filter_fuzz_stub.cc(61)] Test case: /home/b/flat/poc.fil
[0118/164402.217798:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21023==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000cf4fc8 bp 0x7ffd8efb35f0 sp 0x7ffd8efb3540 T0)
==21023==The signal is caused by a READ memory access.
==21023==Hint: address points to the zero page.
    #0 0xcf4fc7  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0xcf4fc7)
    #1 0xcf5873  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0xcf5873)
    #2 0xa30b0e  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0xa30b0e)
    #3 0x91d337  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x91d337)
    #4 0x914d59  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x914d59)
    #5 0xd135c1  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0xd135c1)
    #6 0x9c1357  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x9c1357)
    #7 0x93610a  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x93610a)
    #8 0x90ccbd  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x90ccbd)
    #9 0x908800  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x908800)
    #10 0x92420b  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x92420b)
    #11 0x918e53  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x918e53)
    #12 0x6221ff  (/home/b/chromium/src/out/asan/filter_fuzz_stub+0x6221ff)
    #13 0x7f13dc4c182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/b/chromium/src/out/asan/filter_fuzz_stub+0xcf4fc7) 
==21023==ABORTING

What is the expected behavior?

What went wrong?
SEGV on unknown address 0x000000000000

Did this work before? N/A 

Chrome version: 65.0.3307.0  Channel: n/a
OS Version: 16.04
Flash Version:

poc.fil
356 bytes Download

Comment 1 by metzman@chromium.org, Jan 18 2018

Components: Internals>Skia

This looks like a duplicate of  issue 786133 

I got the following symbolized stack trace using this poc:

[0118/093023.299184:INFO:filter_fuzz_stub.cc(61)] Test case: poc.fil
[0118/093023.300072:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9198==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000df3897 bp 0x7ffdea8c2310 sp 0x7ffdea8c22a0 T0)
==9198==The signal is caused by a READ memory access.
==9198==Hint: address points to the zero page.
    #0 0xdf3896 in xferColor(unsigned int, unsigned int, SkBlendMode) third_party/skia/src/effects/SkLayerDrawLooper.cpp:57:37
    #1 0xdf3373 in SkLayerDrawLooper::LayerDrawLooperContext::ApplyInfo(SkPaint*, SkPaint const&, SkLayerDrawLooper::LayerInfo const&) third_party/skia/src/effects/SkLayerDrawLooper.cpp:76:19
    #2 0xdf3ae0 in SkLayerDrawLooper::LayerDrawLooperContext::next(SkCanvas*, SkPaint*) third_party/skia/src/effects/SkLayerDrawLooper.cpp:152:5
    #3 0xb51698 in SkDrawLooper::canComputeFastBounds(SkPaint const&) const third_party/skia/src/core/SkDrawLooper.cpp:22:22
    #4 0xa44b91 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2010:15
    #5 0xa3f49e in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
    #6 0xe08259 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
    #7 0xae30a6 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:212:40
    #8 0xa56bac in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:424:33
    #9 0xa3985f in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
    #10 0xa35890 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
    #11 0xa3afac in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
    #12 0xa4891e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
    #13 0xa4210b in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
    #14 0x77831c in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #15 0x776ead in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
    #16 0x776966 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10
    #17 0x7f87422f72b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/src/effects/SkLayerDrawLooper.cpp:57:37 in xferColor(unsigned int, unsigned int, SkBlendMode)
==9198==ABORTING

Comment 2 by nparker@chromium.org, Jan 18 2018

Mergedinto: 786133
Status: Duplicate (was: Unconfirmed)

Comment 3 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com

Project Member

Comment 4 by sheriffbot@chromium.org, Apr 27 2018

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 803363 link

Issue metadata

SEGV on unknown address 0x000000000000

Issue description

Comment 1 by metzman@chromium.org, Jan 18 2018

Comment 1 Deleted

Comment 2 by nparker@chromium.org, Jan 18 2018

Comment 2 Deleted

Comment 3 by metzman@chromium.org, Jan 22 2018

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Apr 27 2018

Comment 4 Deleted

Sign in to add a comment