Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7d2b8c45afc9c0230410011293cc2e1dbb8943a7 (Add support for Animated PNG).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Uploaded a CL at https://chromium-review.googlesource.com/c/chromium/src/+/927462

The problem is that we assumed the IHDR came immediately after the signature, which is not necessarily the case. So we don't use the properly adjusted IHDR for the frame.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c44b213c387dffb50a742ce538b71fa5012a36a0

commit c44b213c387dffb50a742ce538b71fa5012a36a0
Author: Leon Scroggins III <scroggo@google.com>
Date: Thu Feb 22 21:11:09 2018

Track the location of IHDR in PNG

Bug:  813142 

The IHDR chunk may not come immediately after the signature, as the old
code assumed it did. Keep track of the location of IHDR, and when we
repurpose the IHDR for a frame that does not fill the entire image size,
edit the IHDR (rather than the analogous bytes at the beginning).

In addition, update the parsing code to account for an offset. Add tests
for both the offset case and a chunk that precedes IHDR.

Change-Id: Ib24cd60ee4167b7233fbe7432730637d84fa3338
Reviewed-on: https://chromium-review.googlesource.com/927462
Commit-Queue: Leon Scroggins <scroggo@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#538565}
[modify] https://crrev.com/c44b213c387dffb50a742ce538b71fa5012a36a0/third_party/WebKit/Source/platform/image-decoders/ImageDecoder.cpp
[modify] https://crrev.com/c44b213c387dffb50a742ce538b71fa5012a36a0/third_party/WebKit/Source/platform/image-decoders/png/PNGImageDecoderTest.cpp
[modify] https://crrev.com/c44b213c387dffb50a742ce538b71fa5012a36a0/third_party/WebKit/Source/platform/image-decoders/png/PNGImageReader.cpp
[modify] https://crrev.com/c44b213c387dffb50a742ce538b71fa5012a36a0/third_party/WebKit/Source/platform/image-decoders/png/PNGImageReader.h

ClusterFuzz has detected this issue as fixed in range 538543:538565.

Detailed report: https://clusterfuzz.com/testcase?key=5047240499134464

Fuzzer: libFuzzer_blink_png_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6080000084f5
Crash State:
  blink::PNGImageDecoder::RowAvailable
  cr_png_push_process_row
  cr_png_process_IDAT_data
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=456783:456847
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=538543:538565

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5047240499134464

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5047240499134464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot