null pointer dereference in Sprite_D32_S32A_Xfer::blitRect
Reported by
zhunkib...@gmail.com,
Jan 29 2018
|
|||
Issue description
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Steps to reproduce the problem:
1. build latest code of filter_fuzz_stub with following gn flags:
is_debug = false
(ninja -C buildir skia:filter_fuzz_stub)
2. Run filter_fuzz_stub with attached file:
./filter_fuzz_stub poc
==20325==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000233f71d bp 0x60800000ada0 sp 0x7ffde0cddd60 T0)
#0 0x233f71c in Sprite_D32_S32A_Xfer::blitRect(int, int, int, int) ../../src/core/SkSpriteBlitter_ARGB32.cpp:77
#1 0xd53ac7 in blitrect ../../src/core/SkScan.cpp:25
#2 0xd53ac7 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) ../../src/core/SkScan.cpp:53
#3 0xd54de1 in SkScan::FillIRect(SkIRect const&, SkRasterClip const&, SkBlitter*) ../../src/core/SkScan.cpp:83
#4 0xab19f7 in SkDraw::drawSprite(SkBitmap const&, int, int, SkPaint const&) const ../../src/core/SkDraw.cpp:1325
#5 0x21d10c2 in SkBitmapDevice::drawSprite(SkBitmap const&, int, int, SkPaint const&) ../../src/core/SkBitmapDevice.cpp:353
#6 0x21d905f in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) ../../src/core/SkBitmapDevice.cpp:435
#7 0x9cb9e5 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) ../../src/core/SkCanvas.cpp:1314
#8 0x9cc631 in SkCanvas::internalRestore() ../../src/core/SkCanvas.cpp:1203
#9 0x9dcd0c in AutoDrawLooper::~AutoDrawLooper() ../../src/core/SkCanvas.cpp:495
#10 0x9dcd0c in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) ../../src/core/SkCanvas.cpp:2018
#11 0x9de430 in SkCanvas::drawRect(SkRect const&, SkPaint const&) ../../src/core/SkCanvas.cpp:1710
#12 0x10cb499 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const ../../src/effects/SkPaintImageFilter.cpp:66
#13 0xb2d79e in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const ../../src/core/SkImageFilter.cpp:213
#14 0x21d6896 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) ../../src/core/SkBitmapDevice.cpp:421
#15 0x9cb9e5 in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) ../../src/core/SkCanvas.cpp:1314
#16 0x9cc631 in SkCanvas::internalRestore() ../../src/core/SkCanvas.cpp:1203
#17 0x9cdf8b in AutoDrawLooper::~AutoDrawLooper() ../../src/core/SkCanvas.cpp:495
#18 0x9efcc3 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) ../../src/core/SkCanvas.cpp:2291
#19 0x9e7229 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) ../../src/core/SkCanvas.cpp:1831
#20 0x666afc in fuzz_filter_fuzz ../../fuzz/fuzz.cpp:550
#21 0x6691eb in fuzz_file ../../fuzz/fuzz.cpp:134
#22 0x5cd616 in main ../../fuzz/fuzz.cpp:76
#23 0x7f0a88abc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#24 0x5e9918 in _start (/home/b/skia/out/asan/fuzz+0x5e9918)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../src/core/SkSpriteBlitter_ARGB32.cpp:77 Sprite_D32_S32A_Xfer::blitRect(int, int, int, int)
==20325==ABORTING
What is the expected behavior?
What went wrong?
null pointer dereference
Did this work before? N/A
Chrome version: 65.0.3307.0 Channel: n/a
OS Version: 16.04
Flash Version:
,
Jan 29 2018
Correct I think this results in drawing error vs a security vulnerability.. adjusting flags.
,
Jan 29 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by elawrence@chromium.org
, Jan 29 2018