Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in SkPaint::getTextWidths |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6416523649089536 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xed6a06b0 Crash State: SkPaint::getTextWidths void blink::ShapeResult::ComputeGlyphPositions<true> blink::ShapeResult::InsertRun Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=579681:579682 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6416523649089536 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 2
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a5d5bb89a464f812803f6b5b6a2feb9f656f52eb (Optimize ShapeResult::ComputeGlyphBounds). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Aug 2
,
Aug 2
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2
,
Aug 3
,
Aug 7
Issue 871071 has been merged into this issue.
,
Aug 7
M69 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Aug 7
I'll look into this first thing tomorrow. In the future please don't assign bugs directly to individuals without first going through the triage process as that means they don't show up in any of our tracking tools and are not subject to our SLO.
,
Aug 7
,
Aug 8
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8094625da61dda77446482770c829b6e8eee875f commit 8094625da61dda77446482770c829b6e8eee875f Author: Emil A Eklund <eae@chromium.org> Date: Wed Aug 08 01:25:26 2018 Revert "Optimize ShapeResult::ComputeGlyphBounds" This reverts r579682 (commit a5d5bb89a464f812803f6b5b6a2feb9f656f52eb). Reason for revert: Caused regression for RTL text. Bug: 870178 , 591099 Tbr: kojii@chromium.org Change-Id: Ic8d79c86c59d649636d065a697b11d37f029efe7 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng Reviewed-on: https://chromium-review.googlesource.com/1166298 Commit-Queue: Emil A Eklund <eae@chromium.org> Reviewed-by: Emil A Eklund <eae@chromium.org> Cr-Commit-Position: refs/heads/master@{#581427} [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/shaping/shape_result.cc [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/shaping/shape_result.h [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/simple_font_data.cc [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/simple_font_data.h [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc [modify] https://crrev.com/8094625da61dda77446482770c829b6e8eee875f/third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.h
,
Aug 8
ClusterFuzz has detected this issue as fixed in range 581425:581427. Detailed report: https://clusterfuzz.com/testcase?key=6416523649089536 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0xed6a06b0 Crash State: SkPaint::getTextWidths void blink::ShapeResult::ComputeGlyphPositions<true> blink::ShapeResult::InsertRun Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=579681:579682 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=581425:581427 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6416523649089536 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 8
ClusterFuzz testcase 6416523649089536 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 8
,
Aug 10
,
Aug 10
This bug requires manual review: Reverts referenced in bugdroid comments after merge request. Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 10
+awhalley@ (Security TPM) for M69 merge review.
,
Aug 10
+inferno for comment 9, not sure if Predator is aware of component level triage processes. Looks like both regression and revert were just in 70, so no need for 69 merge.
,
Aug 13
,
Aug 15
,
Nov 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 2Labels: Test-Predator-Auto-Components