New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 809200 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Out-of-memory in paint_op_buffer_fuzzer

Project Member Reported by ClusterFuzz, Feb 5 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6438641510121472

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  paint_op_buffer_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=529162:529167

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6438641510121472

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Cc: brajkumar@chromium.org
Components: Internals
Labels: -Pri-1 -Type-Bug M-66 Test-Predator-Wrong Pri-2 Type-Bug-Regression
Owner: weili@chromium.org
Status: Assigned (was: Untriaged)
Predator could not provide any possible suspects.

From the below CL observing some changes related to paint op buffer, hence suspecting the same
https://chromium.googlesource.com/chromium/src/+log/3231a20b259dccb81598910a8bfa7b5dee787a9a..2eb1fe55d1eae8c706dd0611561e4f1ccea609fd?pretty=fuller&n=10000

Suspect CL: https://chromium.googlesource.com/chromium/src/+/2a9bfe4538e4b99f6adbf5b22ff65c15da6399ce

weili@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!
Project Member

Comment 2 by bugdroid1@chromium.org, Mar 9 2018

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba

commit dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba
Author: Wei Li <weili@chromium.org>
Date: Fri Mar 09 00:27:51 2018

Harden size check during textblob deserialization

Check the text size read from a buffer should not exceed the size of
the input buffer. This is to avoid memory allocation errors such as
out of memory.

BUG= chromium:809200 

Change-Id: I47824f6e8122bd550ee97ac83e2251b7725865e7
Reviewed-on: https://skia-review.googlesource.com/113289
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Florin Malita <fmalita@chromium.org>

[modify] https://crrev.com/dc0b12ec7a2de9ae4836f90c66b4f8ff3558f0ba/src/core/SkTextBlob.cpp

Project Member

Comment 3 by bugdroid1@chromium.org, Mar 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32423c4c8bd5ae91c942a170abee4047b601b30b

commit 32423c4c8bd5ae91c942a170abee4047b601b30b
Author: skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Fri Mar 09 02:56:48 2018

Roll src/third_party/skia/ 4997e14c8..dc0b12ec7 (13 commits)

https://skia.googlesource.com/skia.git/+log/4997e14c80f1..dc0b12ec7a2d

$ git log 4997e14c8..dc0b12ec7 --date=short --no-merges --format='%ad %ae %s'
2018-03-08 weili Harden size check during textblob deserialization
2018-03-08 angle-skia-autoroll Roll skia/third_party/externals/angle2/ 5164b797c..80964f97e (6 commits)
2018-03-08 reed Change behavior of custom image serial/deserial
2018-03-08 egdaniel Add ability to uninstantiate lazy proxies after every flush.
2018-03-08 brianosman Fill in some missing virtuals from canvas subclasses
2018-03-08 robertphillips Split GrDDL- & GrDirect- Contexts into their own files
2018-03-08 reed tighten check when we might overflow legacy shader math
2018-03-08 liyuqian Use clippedIR instead of clipBounds to filter coverage deltas
2018-03-06 benjaminwagner Upgrade IntelIris540 Win10 GPU driver, take 2.
2018-03-05 pirama Re-enable PGO for Skia
2018-03-08 robertphillips Fix preAbandonContext bot
2018-03-08 csmartdalton Revert "ccpr: Draw curves in a single pass"
2018-03-08 csmartdalton Revert "ccpr: Simplify triangle corners"

Created with:
  roll-dep src/third_party/skia
BUG= 809200 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=fmalita@chromium.org

Change-Id: I9eaaf639d3a8850ef6dec1c62a067569b8b49f74
Reviewed-on: https://chromium-review.googlesource.com/956612
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#542007}
[modify] https://crrev.com/32423c4c8bd5ae91c942a170abee4047b601b30b/DEPS

Project Member

Comment 4 by ClusterFuzz, Mar 9 2018

ClusterFuzz has detected this issue as fixed in range 542006:542007.

Detailed report: https://clusterfuzz.com/testcase?key=6438641510121472

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  paint_op_buffer_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=529162:529167
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=542006:542007

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6438641510121472

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 9 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6438641510121472 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment