New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 861504 link

Starred by 1 user
Status: WontFix
Owner:
bsalomon@chromium.org
Last visit > 30 days ago
Closed: Jul 14
Cc:
attek...@gmail.com
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Stack-buffer-overflow in gpu::gles2::GLES2Implementation::GetIntegerv

Project Member Reported by ClusterFuzz, Jul 7 
Detailed report: https://clusterfuzz.com/testcase?key=5120025921585152

Fuzzer: attekett_surku_fuzzer
Job Type: windows_asan_chrome_with_gpu
Platform Id: windows

Crash Type: Stack-buffer-overflow WRITE 12
Crash Address: 0x004a5a5fd114
Crash State:
  gpu::gles2::GLES2Implementation::GetIntegerv
  GrGLFunction<void
  GrGLCaps::initConfigTable
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5120025921585152

Issue manually filed by: aarya

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Jul 7

Components: Internals>GPU>Internals Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 7

Labels: Pri-1

Comment 3 by kenrb@chromium.org, Jul 7

Owner: bsalomon@chromium.org
Status: Assigned (was: Untriaged)
bsalomon@: Can you PTAL? This is a flaky crash but the report looks concerning, and is going through some code that you added earlier this year to GrGlCaps.cpp.

Comment 4 by kenrb@chromium.org, Jul 7

Labels: M-68
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 8

Labels: Security_Impact-Beta
Project Member

Comment 6 by ClusterFuzz, Jul 14

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5120025921585152 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 15

Labels: -reward-topanel reward-ineligible

Comment 8 by bsalomon@chromium.org, Jul 16 

FWIW I tried to repro this using the listed gn args and opening the linked html and didn't get a repro. My best guess is something upstack caused this and was changed such that it no longer repros.
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 21

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment