Thanks for the report!

Reed@, "git blame" lists you as the author of this code and robertphillips@ as the latest committer of the "growForVerb" code. I assume you are the right person to assign this to; if you are not can you suggest a new owner?

Also, the reporter mentioned this pattern may be present in other areas, can you put some effort in to ensure that it is not?

Thanks!

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/c3d8a48f1b27370049aa512019cd726c59354743

commit c3d8a48f1b27370049aa512019cd726c59354743
Author: Mike Reed <reed@google.com>
Date: Wed Sep 12 14:29:18 2018

allow path.add(path) safely

Bug:  882423 
Change-Id: Ied2ad2d5dfdf00af8f3ba722b522e9602fea5557
Reviewed-on: https://skia-review.googlesource.com/153260
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>

[modify] https://crrev.com/c3d8a48f1b27370049aa512019cd726c59354743/tests/PathTest.cpp
[modify] https://crrev.com/c3d8a48f1b27370049aa512019cd726c59354743/src/core/SkPath.cpp

+metzman, looks like the path api isn't exercised as well by the fuzzers as we thought.

https://github.com/google/skia/blob/master/fuzz/FuzzCommon.cpp#L12

robertphillips@ said he'd possibly take a look at vamping it up.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f7888a12e1923fce6ffeb876018e141f9de89ce

commit 7f7888a12e1923fce6ffeb876018e141f9de89ce
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Wed Sep 12 17:19:01 2018

Roll src/third_party/skia b2acf0a93927..16322637c477 (4 commits)

https://skia.googlesource.com/skia.git/+log/b2acf0a93927..16322637c477


git log b2acf0a93927..16322637c477 --date=short --no-merges --format='%ad %ae %s'
2018-09-12 fmalita@chromium.org [sksg] Trim down sksg::Matrix size
2018-09-12 reed@google.com remove SK_SUPPORT_LEGACY_TYPEFACE_MAKEFROMSTREAM
2018-09-12 brianosman@google.com Remove raw-data version of createTextureProxy
2018-09-12 reed@google.com allow path.add(path) safely


Created with:
  gclient setdep -r src/third_party/skia@16322637c477

The AutoRoll server is located here: https://autoroll.skia.org/r/skia-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:882423 
TBR=caryclark@chromium.org

Change-Id: I1541aa1f48d76c6ba1ac980f0c1dd37e413a28f2
Reviewed-on: https://chromium-review.googlesource.com/1221967
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#590737}
[modify] https://crrev.com/7f7888a12e1923fce6ffeb876018e141f9de89ce/DEPS

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/5e4e5451ff901ee8a148bd7cc1e6f1f8e29a519e

commit 5e4e5451ff901ee8a148bd7cc1e6f1f8e29a519e
Author: Robert Phillips <robertphillips@google.com>
Date: Wed Sep 12 17:25:25 2018

Expand SkPath fuzzer

Bug:  882423 
Change-Id: Ib1599c84798de74b9e7ecefffb47f22fd12f5a8f
Reviewed-on: https://skia-review.googlesource.com/153889
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>

[modify] https://crrev.com/5e4e5451ff901ee8a148bd7cc1e6f1f8e29a519e/fuzz/FuzzCommon.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9b08f99ae803cc937a17a9e15dd08aaf85fe2f98

commit 9b08f99ae803cc937a17a9e15dd08aaf85fe2f98
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Wed Sep 12 20:22:33 2018

Roll src/third_party/skia 16322637c477..b8e125281d50 (6 commits)

https://skia.googlesource.com/skia.git/+log/16322637c477..b8e125281d50


git log 16322637c477..b8e125281d50 --date=short --no-merges --format='%ad %ae %s'
2018-09-12 caryclark@skia.org Revert "remove SK_SUPPORT_LEGACY_TYPEFACE_MAKEFROMSTREAM"
2018-09-12 jcgregorio@google.com Fix container builder command line.
2018-09-12 mtklein@google.com revise p3 GM
2018-09-12 brianosman@google.com Add F16 test-case to all_bitmap_configs
2018-09-12 robertphillips@google.com Expand SkPath fuzzer
2018-09-12 halcanary@google.com SkPDF: do all rasterScale calculations in one place.


Created with:
  gclient setdep -r src/third_party/skia@b8e125281d50

The AutoRoll server is located here: https://autoroll.skia.org/r/skia-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:882423 
TBR=caryclark@chromium.org

Change-Id: I31ff5e314ae0e482f71f49c257c25adac68b6168
Reviewed-on: https://chromium-review.googlesource.com/1222209
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#590804}
[modify] https://crrev.com/9b08f99ae803cc937a17a9e15dd08aaf85fe2f98/DEPS

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/8051d38358293df1e5b8a1a513f8114147ec9fa3

commit 8051d38358293df1e5b8a1a513f8114147ec9fa3
Author: Robert Phillips <robertphillips@google.com>
Date: Thu Sep 13 13:10:33 2018

Fix SkPath::reverseAddPath and fuzzing of SkPath enums

Bug:  882423 
Change-Id: I2be2863574a5951b86e4d5e213094efee6081098
Reviewed-on: https://skia-review.googlesource.com/154300
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Greg Daniel <egdaniel@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>

[modify] https://crrev.com/8051d38358293df1e5b8a1a513f8114147ec9fa3/fuzz/FuzzCommon.cpp
[modify] https://crrev.com/8051d38358293df1e5b8a1a513f8114147ec9fa3/src/core/SkPath.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e75f8f872e92b7b4615df2f0c47359e3e498175

commit 1e75f8f872e92b7b4615df2f0c47359e3e498175
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Sep 13 15:31:24 2018

Roll src/third_party/skia 637c06aec7b1..d2916264aae0 (4 commits)

https://skia.googlesource.com/skia.git/+log/637c06aec7b1..d2916264aae0


git log 637c06aec7b1..d2916264aae0 --date=short --no-merges --format='%ad %ae %s'
2018-09-13 stephana@google.com [infra] Add pubsub emulator to gcloud asset
2018-09-13 brianosman@google.com Defer mip-mapping until lazy proxy instantiation
2018-09-13 mtklein@google.com add a linear gradient to P3 gm
2018-09-13 robertphillips@google.com Fix SkPath::reverseAddPath and fuzzing of SkPath enums


Created with:
  gclient setdep -r src/third_party/skia@d2916264aae0

The AutoRoll server is located here: https://autoroll.skia.org/r/skia-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:882423 
TBR=caryclark@chromium.org

Change-Id: Icc65a9c71f5c9970e104dad2d7e313a4fa2221b3
Reviewed-on: https://chromium-review.googlesource.com/1224591
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#591020}
[modify] https://crrev.com/1e75f8f872e92b7b4615df2f0c47359e3e498175/DEPS

reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I think we have addressed this and similar related issues.

reed@ - could you confirm that the vulnerable code is reachable from Chrome?  Cheers!

reed@ can confirm but I believe Chrome could have run afoul of this bug.

Well, NewTabButton::GetHitTestMask gets a path from NewTabButton::GetBorderPath (which can add conics to the returned path) and then calls addPath - adding the returned path to its mask path. AFAICT that mask path is always empty though. So, although Chrome comes close, I don't think it would actually trigger this bug.

Still, there is nothing preventing Chrome from using SkPath in a manner that would trigger this bug.

Someone more familiar with Chrome might be able to provide more insight.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Nice one hungtt28k55@! The VRP panel decided to award $1,000 for this bug. A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in Chrome release notes?

Thank all team! Please credit me as Tran Tien Hung (@hungtt28) of Viettel Cyber Security.

Thanks!

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

(Already in 71)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot