Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/6e0ab6ae54cc837abd96024dae5595a8d299e7b8 (Refactor CanvasAsyncBlobCreator to use StaticBitmapImage).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is not locally reproducible. I tried to reproduce using both the cluster fuzz build and a local build on Mac 10.13. We had a similar issue recently which was also not reproducible ( crbug.com/808875 ).
Adding scroggo@ to take a look.

I initiated a Redo task on ClusterFuzz to try to minimize the test case one more time and also run the test case again to see if the test is flaky on the fuzzer.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0

commit 1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0
Author: Reza.Zakerinasab <zakerinasab@chromium.org>
Date: Thu May 24 20:11:32 2018

Fixing heap buffer overflow in CanvasAsyncBlobCreator

When the size of the to-be-encoded-image is larger than the maximum
size supported by the encoder, we need to crop the image beforehand.
Otherwise, we might end up in heap buffer overflow.

Bug:  844872 
Change-Id: Ibea765a8b094a845a2a47f8d3e539fc53176ffb1
Reviewed-on: https://chromium-review.googlesource.com/1070326
Reviewed-by: Justin Novosad <junov@chromium.org>
Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561597}
[add] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/WebKit/LayoutTests/fast/canvas/canvas-toBlob-oversized.html
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/WebKit/LayoutTests/virtual/threaded/fast/idleToBlob/OffscreenCanvas-convertToBlob-failures.html
[add] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/WebKit/LayoutTests/virtual/threaded/fast/idleToBlob/OffscreenCanvas-convertToBlob-oversized.html
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/blink/renderer/core/html/canvas/canvas_async_blob_creator.cc
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/blink/renderer/core/html/canvas/canvas_async_blob_creator.h
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/blink/renderer/core/html/canvas/canvas_async_blob_creator_test.cc
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/blink/renderer/platform/image-encoders/image_encoder.cc
[modify] https://crrev.com/1591ea17958c3eefbbd34c6ff3e9c6cfb0b901a0/third_party/blink/renderer/platform/image-encoders/image_encoder.h

ClusterFuzz has detected this issue as fixed in range 561580:561613.

Detailed report: https://clusterfuzz.com/testcase?key=5050293671428096

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x000426914970
Crash State:
  transform_scanline_bgrA
  SkWebpEncoder::Encode
  blink::CanvasAsyncBlobCreator::EncodeImage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=521688:521717
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=561580:561613

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5050293671428096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5050293671428096 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approved. branch:3440

This is already merged in 3440. The commit position for this change is refs/heads/master@{#561597}, while the commit position for branch 3440 is refs/heads/master@{561733}.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge you change to M68 branch 3440 ASAP so we can pick it up for this week Beta release. Merge has to happen latest by 1:00 PM PT tomorrow, Tuesday (06/19), so we can pick it up for Wednesday Beta release.

As per #16, this is was committed before 3440 was branched. Removing the merge tags. 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot