New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 867352 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 867314
Owner:
Last visit > 30 days ago
Closed: Jul 26
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in SkOpSpanBase::chased

Project Member Reported by ClusterFuzz, Jul 25

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4561419270619136

Fuzzer: libFuzzer_skia_pathop_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x00003f8088ab
Crash State:
  SkOpSpanBase::chased
  SkOpAngle::lastMarked
  SkOpSegment::findNextOp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=577632:577682

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561419270619136

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jul 25

Components: Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jul 25

Cc: carycl...@skia.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

handle failing pathop tests by caryclark@skia.org - https://skia.googlesource.com/skia/+/2587f41f2667b2add97f75583b71ebb74bc48af1

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Please assign to caryclark@google.com. As caryclark@skia.org, I cannot download the testcase or modify who this bug other than add this comment.
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 25

Labels: M-69 Target-69
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 25

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 25

Labels: Pri-1
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 26

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: OS-Android OS-Chrome OS-Linux OS-Windows
Owner: caryclark@google.com
Status: Assigned (was: Untriaged)
I haven't been able to reproduce. Does this repro on Linux or only on Mac?
I suspect this was fixed by https://skia-review.googlesource.com/143112.
Please let me know if this is still a regression.
Mergedinto: 867314
Status: Duplicate (was: Assigned)
Project Member

Comment 12 by ClusterFuzz, Jul 27

ClusterFuzz has detected this issue as fixed in range 578328:578339.

Detailed report: https://clusterfuzz.com/testcase?key=4561419270619136

Fuzzer: libFuzzer_skia_pathop_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x00003f8088ab
Crash State:
  SkOpSpanBase::chased
  SkOpAngle::lastMarked
  SkOpSegment::findNextOp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=577632:577682
Fixed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=578328:578339

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561419270619136

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 3

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment