TestRunnerForSpecificView::CapturePixelsCallback() isn't guarding against large allocations |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5036885072936960 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-buffer-overflow WRITE 16 Crash Address: 0x000231023100 Crash State: ssse3::RGBA_to_BGRA SkConvertPixels SkPixmap::readPixels Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=508470:508529 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5036885072936960 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 16 2018
,
Apr 16 2018
,
Apr 16 2018
reed: Can you take a look and reassign if appropriate? Thanks.
,
Apr 18 2018
,
Apr 23 2018
(security 👮 ping) reed@ -- can you please prioritize this high priority bug? Thanks.
,
Apr 30 2018
reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 14 2018
reed: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 14 2018
probably need the other Mike to look here
,
May 14 2018
I can reproduce this locally... with this command so I don't forget: out/Default/Content\ Shell.app/Contents/MacOS/Content\ Shell --single-process --no-sandbox --run-layout-test ~/Downloads/clusterfuzz-testcase-minimized-5036885072936960.html
,
May 14 2018
I'm not really sure how to fix this, but it doesn't appear to be a problem with Skia. It also doesn't look like a bug in user-facing Chrome code, just in the test harness? TestRunnerForSpecificView::CapturePixelsCallback() is trying to read an image into a blink::WebArrayBuffer(), but as written we're passing blink::WebArrayBuffer::Create(size_t, 1) where both its arguments are actually unsigned. In this case, we ask call Create(0x100339900, 1), and it's truncated to Create(0x00339900, 1), the 3381504 byte region mentioned in the ASAN logs. It's tempting to try to allocate with something like Create(bufferRowBytes, height) instead, but it really looks like WebArrayBuffer and all its implementation details are fundamentally limited to unsigned, and can't go above 2^32-1.
,
May 17 2018
ClusterFuzz testcase 5036885072936960 appears to be flaky, updating reproducibility label.
,
May 17 2018
ClusterFuzz testcase 5036885072936960 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Apr 16 2018Labels: Test-Predator-Auto-Components