New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 812519 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Negative-size-param in SkPixmap::erase

Project Member Reported by ClusterFuzz, Feb 15 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5975351608737792

Fuzzer: inferno_canvas_wrecker
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  SkPixmap::erase
  SkBitmap::erase
  SkBitmap::eraseColor
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=534129:534174

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5975351608737792

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 15 2018

Components: Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Feb 15 2018

Cc: sergeyu@chromium.org robertph...@google.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

[Fuchsia] Copy fonts from the host for layout tests by sergeyu@chromium.org - https://chromium.googlesource.com/chromium/src/+/def62d54c45d5598eea3b4808f8cce07f308e1cd

Disable texture strip atlasing for DDL by robertphillips@google.com - https://skia.googlesource.com/skia/+/7a9263906c677c0fa5636521e3cc58ba60837720

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 15 2018

Labels: M-66

Comment 4 by hcm@chromium.org, Feb 15 2018

Cc: herb@chromium.org
Project Member

Comment 5 by sheriffbot@chromium.org, Feb 15 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Feb 15 2018

Labels: Pri-1

Comment 7 by herb@chromium.org, Feb 15 2018

Cc: herb@google.com

Comment 8 by herb@chromium.org, Feb 15 2018

Cc: robertphillips@chromium.org

Comment 9 by herb@chromium.org, Feb 15 2018

Cc: kjlubick@chromium.org
Owner: robertphillips@chromium.org
robertphillips: would you mind taking a quick look to see if this was caused by your CL in #2? Thanks.
Labels: Test-Predator-Wrong-CLs
It is not. I have added the Test-Predator-Wrong-CLs label. It is, however, in herb@'s domain and he is looking into it.
Project Member

Comment 12 by sheriffbot@chromium.org, Feb 16 2018

Status: Assigned (was: Untriaged)
Project Member

Comment 13 by bugdroid1@chromium.org, Feb 26 2018

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/78663f9dad1235e47c2fa9cfd1a9dd979d373871

commit 78663f9dad1235e47c2fa9cfd1a9dd979d373871
Author: Herb Derby <herb@google.com>
Date: Mon Feb 26 17:53:48 2018

Fix overflow in number of bytes to erase.

The width and the height were multiplied as int * int.
Now it is int64_t * int64_t.

BUG= chromium:812519 

Change-Id: If60bbdd8ee92748559b2e4f3ab57e4463a8006e8
Reviewed-on: https://skia-review.googlesource.com/109781
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Herb Derby <herb@google.com>

[modify] https://crrev.com/78663f9dad1235e47c2fa9cfd1a9dd979d373871/src/core/SkPixmap.cpp

Project Member

Comment 14 by bugdroid1@chromium.org, Feb 27 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/14e6f2c9505e44b178460d38ce0a365734fb4432

commit 14e6f2c9505e44b178460d38ce0a365734fb4432
Author: skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Tue Feb 27 00:22:44 2018

Roll src/third_party/skia/ 84d823a5e..9d57afd93 (14 commits)

https://skia.googlesource.com/skia.git/+log/84d823a5e2a0..9d57afd93e70

$ git log 84d823a5e..9d57afd93 --date=short --no-merges --format='%ad %ae %s'
2018-02-26 robertphillips Clean up GrDrawOpAtlas
2018-02-26 benjaminwagner Omit test causing Chromecast to OOM.
2018-02-26 jvanverth Add some additional checks for shadow generation
2018-02-26 rmistry Skip failing pageset from key_mobile_sites_smooth
2018-02-26 mtklein align f16 buffers in SkRasterPipeline_tail test
2018-02-26 egdaniel Revert "Revert "Fixes to alignment issues with regards to mapped vulkan memory.""
2018-02-26 angle-skia-autoroll Roll skia/third_party/externals/angle2/ 3582c0e2c..b52fac03f (4 commits)
2018-02-26 reed use SkIRect makeOffset to avoid overflows
2018-02-26 mtklein fix mask address calculation
2018-02-26 skcms-skia-autoroll Roll skia/third_party/externals/skcms/ 0d1aefed6..e496333d5 (3 commits)
2018-02-23 herb Fix overflow in number of bytes to erase.
2018-02-26 borenet Fix builder_name_schema for Upload tasks
2018-02-26 olegmax Fix assert format string in GrContext_colorTypeSupportedAsImage test.
2018-02-26 robertphillips Revert "Revert "Separate creation time & flush time behavior in GrDrawOpAtlas (take 2)""

Created with:
  roll-dep src/third_party/skia
BUG= 812519 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
TBR=benjaminwagner@chromium.org

Change-Id: I351edccce76f73dd33b0e5364f0f33129e8e620f
Reviewed-on: https://chromium-review.googlesource.com/938283
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#539339}
[modify] https://crrev.com/14e6f2c9505e44b178460d38ce0a365734fb4432/DEPS

Project Member

Comment 15 by ClusterFuzz, Feb 27 2018

ClusterFuzz has detected this issue as fixed in range 539328:539361.

Detailed report: https://clusterfuzz.com/testcase?key=5975351608737792

Fuzzer: inferno_canvas_wrecker
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  SkPixmap::erase
  SkBitmap::erase
  SkBitmap::eraseColor
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=534129:534174
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=539328:539361

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5975351608737792

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by ClusterFuzz, Feb 27 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5975351608737792 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 17 by sheriffbot@chromium.org, Feb 27 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 16 2018

Labels: merge-merged-m65
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/8a3e0b31927ae78bc3e9c342b1290a6a64233674

commit 8a3e0b31927ae78bc3e9c342b1290a6a64233674
Author: Herb Derby <herb@google.com>
Date: Fri Mar 16 14:14:40 2018

Fix overflow in number of bytes to erase.

The width and the height were multiplied as int * int.
Now it is int64_t * int64_t.

BUG= chromium:812519 

Change-Id: If60bbdd8ee92748559b2e4f3ab57e4463a8006e8
Reviewed-on: https://skia-review.googlesource.com/109781
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Herb Derby <herb@google.com>
(cherry picked from commit 78663f9dad1235e47c2fa9cfd1a9dd979d373871)
Reviewed-on: https://skia-review.googlesource.com/113780
Reviewed-by: Hal Canary <halcanary@google.com>

[modify] https://crrev.com/8a3e0b31927ae78bc3e9c342b1290a6a64233674/src/core/SkPixmap.cpp

Project Member

Comment 19 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Stable
Project Member

Comment 21 by sheriffbot@chromium.org, Jun 5 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment