This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

capn, another one for you to take a look at if you don't mind!

We should be validating the index buffer data, so seeing this ASAN crash is not a good sign. I don't see any potential suspects in the revision range though.

Just a heads up, M66 Stable cut is on April 12th, 10 days away. This issue is marked as RB-Stable for 66. Please make sure to address this issue prior to stable cut. Thanks! 

Bisecting indicates https://swiftshader-review.googlesource.com/16548 as the culprit. Alexis, could you have a look?

sugoi: Uh oh! This issue still open and hasn't been updated in the last 17 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://swiftshader.googlesource.com/SwiftShader.git/+/1119ce641315de5b76b71df390444f5810319d19

commit 1119ce641315de5b76b71df390444f5810319d19
Author: Alexis Hetu <sugoi@google.com>
Date: Fri Apr 06 00:44:44 2018

Fixed buffer offset when primitive restart is enabled

The data pointer 'buffer->data()' was being used without the
offset applied, which means we were using the wrong part of
the index buffer when primitive restart is enabled. 'indices'
should already contain the properly offset buffer pointer,
so using it directly should work.

 Bug chromium:823096 

Change-Id: If70634f63d40d8efde9b1336370c1a63b1faa19f
Reviewed-on: https://swiftshader-review.googlesource.com/18268
Reviewed-by: Nicolas Capens <nicolascapens@google.com>
Tested-by: Alexis Hétu <sugoi@google.com>

[modify] https://crrev.com/1119ce641315de5b76b71df390444f5810319d19/src/OpenGL/libGLESv2/IndexDataManager.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f72d2fbf3925fd13cb67ca453f06eb165081bc85

commit f72d2fbf3925fd13cb67ca453f06eb165081bc85
Author: Alexis Hetu <sugoi@google.com>
Date: Fri Apr 06 13:40:09 2018

Roll SwiftShader f8cdc74..1119ce6

https://swiftshader.googlesource.com/SwiftShader.git/+log/f8cdc74..1119ce6

BUG= chromium:823096 

TBR=kbr@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_chromium_cfi_rel_ng;luci.chromium.try:android_optional_gpu_tests_rel

Change-Id: I7606c5a8f2ade19639098c752e7f35e6b7f68330
Reviewed-on: https://chromium-review.googlesource.com/999128
Commit-Queue: Alexis Hétu <sugoi@chromium.org>
Reviewed-by: Alexis Hétu <sugoi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548764}
[modify] https://crrev.com/f72d2fbf3925fd13cb67ca453f06eb165081bc85/DEPS

This should probably be merged to M66, but let's wait for a Canary build to run WebGL conformance tests.

ClusterFuzz has detected this issue as fixed in range 548759:548764.

Detailed report: https://clusterfuzz.com/testcase?key=6583038226726912

Fuzzer: inferno_twister_c
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x619000056350
Crash State:
  sw::Renderer::executeTask
  sw::Thread::Thread
  sw::Renderer::initializeThreads
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=539130:539131
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=548759:548764

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6583038226726912

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6583038226726912 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

No apparent issues in Canary. WebGL 1.0.4 conformance the same.

This bug requires manual review: We are only 7 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M66. Branch:3359

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/0a0bbed01d834dbe6fcb56423df2360043368ea4

commit 0a0bbed01d834dbe6fcb56423df2360043368ea4
Author: Nicolas Capens <capn@google.com>
Date: Tue Apr 10 20:45:07 2018

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot