New issue
Advanced search Search tips

Issue 844457 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: May 19
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Chrome/Skia: Heap overflow in SkScan::FillPath due to precision error.

Project Member Reported by ifratric@google.com, May 18

Issue description

***Please note: This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.***

With any fix, please give credit for identifying the vulnerability to Ivan Fratric of Google Project Zero.


There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in Chrome by rendering a specially crafted SVG image. A Chrome test sample is attached. It crashes Chrome 66.0.3359.181 on my Linux workstation after a couple refreshes. Corresponding ClusterFuzz testcase is
https://clusterfuzz.com/v2/testcase-detail/6449017148669952


Details:

When Skia fills a path with antialiasing turned off, SkScan::FillPath gets called
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609

SkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645

If the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow.

In this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430
when calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be.

The (too small) value of fCDx then gets added to the X coordinate here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471

it then gets propagated here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492

and here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116

where fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267
then the resulting value gets rounded
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249
and becomes -1, which leads to an out-of-bounds write.

Example Skia program that demonstrates the issue:
Note: it should be built with ASan enabled.
=================================================

#include "SkCanvas.h"
#include "SkPath.h"
#include "SkBitmap.h"
#include "SkGradientShader.h"

int main (int argc, char * const argv[]) {

  int width = 100;
  int height = 100;

  SkBitmap bitmap;
  bitmap.allocN32Pixels(width, height);
  SkCanvas bitmapcanvas(bitmap);
  SkCanvas *canvas = &bitmapcanvas;

  SkPaint p;

  p.setAntiAlias(false);

  p.setStyle(SkPaint::kFill_Style);

  SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};
  SkPoint points[2] = {
     SkPoint::Make(0.0f, 0.0f),
     SkPoint::Make(256.0f, 256.0f)
  };
  p.setShader(SkGradientShader::MakeLinear(
             points, colors, nullptr, 2,
             SkShader::kClamp_TileMode, 0, nullptr));

  SkPath path;
  path.moveTo(-30/64.0, -31/64.0);
  path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100);
  path.lineTo(100,100);
  path.lineTo(100,-31/64.0);

  canvas->drawPath(path, p);

  return 0; 
}

=================================================

Running this results in the following UBSan error:
../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1
SUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in 

If the program is compiled without undefined-behavior checks, then running it generates the following ASan report

=================================================================
==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8
WRITE of size 4 at 0x6140000021d0 thread T0
    #0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18
    #1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45
    #2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13
    #3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209
    #4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181
    #5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25
    #6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30
    #7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9
    #8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9
    #9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9
    #10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9
    #11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
    #12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
    #13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
    #14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
    #15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
    #16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
    #17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659)

0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0)
allocated by thread T0 here:
    #0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20)
    #1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13
    #2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12
    #3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336
    #4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30
    #5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34
    #6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20
    #7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34
    #8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
    #9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
    #10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
    #11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
    #12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
    #13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
    #14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&)
Shadow bytes around the buggy address:
  0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18863==ABORTING


 
test_chrome.html
619 bytes View Download
Project Member

Comment 1 by ClusterFuzz, May 18

Labels: Stability-Memory-AddressSanitizer
Detailed report: https://clusterfuzz.com/testcase?key=6449017148669952

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x619000040080
Crash State:
  avx::memset32
  SkLinearGradient::LinearGradient4fContext::shadeSpan
  SkARGB32_Shader_Blitter::blitH
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6449017148669952

See https://github.com/google/clusterfuzz-tools for more information.
Cc: kjlubick@chromium.org
Labels: Pri-1
Owner: reed@chromium.org
Status: Assigned (was: Unconfirmed)
This is coming from Project Zero (so bound by disclosure deadline)
Cc: reed@google.com
Components: Internals>Skia
Owner: reed@google.com
Labels: Security_Severity-High Security_Impact-Stable OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
I can verify this reproduces at ToT.  If one applies the attached diff and runs

out/ASAN_ONLY/fuzz -t api -n RasterN32Canvas

The heap buffer overflow shows its head.

I'm going to look into why our own canvas fuzzer did not discover this test case (or a similar one) before the project zero team did.
repro-patch
1.3 KB View Download
Project Member

Comment 7 by bugdroid1@chromium.org, May 18

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/861b52ea98d703786ce485389db07e58759c1792

commit 861b52ea98d703786ce485389db07e58759c1792
Author: Mike Reed <reed@google.com>
Date: Fri May 18 20:14:54 2018

tweak conservative bounds value to save aberrant cubic

Bug:  844457 
Change-Id: Ia3c7c0592df59022cf04f6747b1fe30975431ea4
Reviewed-on: https://skia-review.googlesource.com/129200
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Mike Reed <reed@google.com>

[modify] https://crrev.com/861b52ea98d703786ce485389db07e58759c1792/src/core/SkScan_Path.cpp
[modify] https://crrev.com/861b52ea98d703786ce485389db07e58759c1792/tests/ClipCubicTest.cpp

fuzzer.skia.org had been warning us about the root problem because of this assert [1], but it took an artful security expert to be able to exploit this to go out of bounds.

Compare the difference between [2] (the unit test added that triggers the assert) and the repro case presented.  They both trigger the assert, but [2] doesn't cause ASAN to complain.  The given repro case was able to take that broken case further (thanks for the excellent write-up Ivan!)

The attached case can be used to trigger that assert (at least before https://skia-review.googlesource.com/c/skia/+/129200 lands)

out/Debug/fuzz -b ~/Downloads/api-RasterN32Canvas-a10c20b1d9e68bb0febdbd90fc3f5d7cdbd4e2b7
Fuzzing RasterN32Canvas...
../../src/core/SkBlitter.cpp:1181: fatal error: "assert(fClipRect.contains(SkIRect::MakeXYWH(x, y, width, 1)))"
Aborted

What AI do we have to prevent this sort of thing from happening again?
  
1. I'm going to look to see if our fuzzer could have found this given infinite time.  If so, we'll add the test case to our seed_corpus.
2. reed@ mentioned that division by 64.0 was key to the overflow happening.  Maybe we can add some of those special divisions to the fuzzer dictionary to make it more likely to use those exact values.
3. I filed https://bugs.chromium.org/p/skia/issues/detail?id=7978 so we can distinguish the signal from the noise as far as our asserts go.


[1] https://github.com/google/skia/blob/861b52ea98d703786ce485389db07e58759c1792/src/core/SkBlitter.cpp?utf8=%E2%9C%93#L1181

[2] https://skia-review.googlesource.com/c/skia/+/129200/1/tests/ClipCubicTest.cpp#216
api-RasterN32Canvas-a10c20b1d9e68bb0febdbd90fc3f5d7cdbd4e2b7
308 bytes View Download
Cc: hcm@google.com
Labels: Merge-Request-67 Merge-Request-66 Build-Official-Scripts
I confirmed the test case reproduces on chrome/m66 and chrome/m67 branches of Skia, so we'll want to backport it there.
Project Member

Comment 10 by sheriffbot@chromium.org, May 18

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: We are only 10 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M67 merge review (Note: Cl listed at #7 landed in trunk 55 mins back, not in canary yet.)
Project Member

Comment 12 by ClusterFuzz, May 18

Detailed report: https://clusterfuzz.com/testcase?key=6449017148669952

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x619000040080
Crash State:
  avx::memset32
  SkLinearGradient::LinearGradient4fContext::shadeSpan
  SkARGB32_Shader_Blitter::blitH
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=523898:523900

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6449017148669952

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 13 by bugdroid1@chromium.org, May 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b332617ddd273f27682d3d75442a12fb6f02ab1e

commit b332617ddd273f27682d3d75442a12fb6f02ab1e
Author: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Sat May 19 00:43:04 2018

Roll src/third_party/skia/ ee84fe1e6..ba5b5f517 (3 commits)

https://skia.googlesource.com/skia.git/+log/ee84fe1e6484..ba5b5f517168

$ git log ee84fe1e6..ba5b5f517 --date=short --no-merges --format='%ad %ae %s'
2018-05-18 reed harden line2d effect
2018-05-18 herb Add rules for cmake 3.11 to not error
2018-05-18 reed tweak conservative bounds value to save aberrant cubic

Created with:
  roll-dep src/third_party/skia
BUG= chromium:844457 


The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
TBR=herb@chromium.org

Change-Id: I1cf1c8862775f8a3e3b0fdbc8ef840a2f4d703d9
Reviewed-on: https://chromium-review.googlesource.com/1066783
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#560122}
[modify] https://crrev.com/b332617ddd273f27682d3d75442a12fb6f02ab1e/DEPS

Project Member

Comment 14 by ClusterFuzz, May 19

ClusterFuzz has detected this issue as fixed in range 560121:560122.

Detailed report: https://clusterfuzz.com/testcase?key=6449017148669952

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x619000040080
Crash State:
  avx::memset32
  SkLinearGradient::LinearGradient4fContext::shadeSpan
  SkARGB32_Shader_Blitter::blitH
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=523898:523900
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=560121:560122

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6449017148669952

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, May 19

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6449017148669952 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 16 by sheriffbot@chromium.org, May 19

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
govind@ - good for 67
Labels: -Merge-Review-67 Merge-Approved-67
Approving merge to M67 branch 3396 based on comment #17. Please merge ASAP so we can pick it up for this week last M67 beta release on Wednesday. Thank you.
Project Member

Comment 19 by bugdroid1@chromium.org, May 21

Labels: merge-merged-m67
The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/78b60f4ff13b83da98ae2bca85aaef0a98b61098

commit 78b60f4ff13b83da98ae2bca85aaef0a98b61098
Author: Mike Reed <reed@google.com>
Date: Mon May 21 18:20:19 2018

tweak conservative bounds value to save aberrant cubic

Bug:  844457 
Change-Id: Ia3c7c0592df59022cf04f6747b1fe30975431ea4
Reviewed-on: https://skia-review.googlesource.com/129200
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Mike Reed <reed@google.com>
(cherry picked from commit 861b52ea98d703786ce485389db07e58759c1792)
Reviewed-on: https://skia-review.googlesource.com/129381
Reviewed-by: Heather Miller <hcm@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>

[modify] https://crrev.com/78b60f4ff13b83da98ae2bca85aaef0a98b61098/src/core/SkScan_Path.cpp
[modify] https://crrev.com/78b60f4ff13b83da98ae2bca85aaef0a98b61098/tests/ClipCubicTest.cpp

Labels: -Merge-Request-66 Merge-Rejected-66
Rejecting merge for M66, since M67 is only a week away. 
Labels: -Merge-Approved-67
Action Item 1 from #8 has been done in https://skia-review.googlesource.com/c/skia/+/129502 

The appropriate test case has been added to the appropriate corpora.

Hopefully we are equipped to find this sort of bug in the future.  We will evaluate the other 2 action items to see if we can guide the fuzzer to that result faster.
Labels: Release-0-M67
Labels: CVE-2018-6126 CVE_description-missing
Project Member

Comment 25 by sheriffbot@chromium.org, Aug 25

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment