Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/81b08fd531af5e9ab4ca317067cceaeb4a0ddd29 (Draw high bit depth images on wide gamut canvas without color precision loss).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is not release blocking. The patch is still in Canary.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The source of the problem is that we are loading a 16 bit png to a SVG. Decoder expects the buffer to reserve 8 bytes per pixel, but ImageFrame::AllocatePixelData reserves only four bytes. Somehow we end up with two different SkColorTypes in the ImageInfo that used to allocate the buffer and the SkImageInfo that is passed to the decoder. I guess somewhere we miss to carry over the correct color type. Investigating.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/65bc0fea4fd1b57c8262a60fe46aa38a7f463a5d

commit 65bc0fea4fd1b57c8262a60fe46aa38a7f463a5d
Author: Reza.Zakerinasab <zakerinasab@chromium.org>
Date: Tue Oct 16 14:28:45 2018

Respect color type when copying pixels from scaled decoded image

TBR=fserb@chromium.org

Bug:  894673 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I81df01f11d97763281b0282288ba3c068071eff6
Reviewed-on: https://chromium-review.googlesource.com/c/1281240
Reviewed-by: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599972}
[modify] https://crrev.com/65bc0fea4fd1b57c8262a60fe46aa38a7f463a5d/third_party/blink/renderer/platform/graphics/image_decoder_wrapper.cc

This is now passing the test locally. Waiting for the fuzzer to confirm.

ClusterFuzz has detected this issue as fixed in range 599970:599972.

Detailed report: https://clusterfuzz.com/testcase?key=4647715886333952

Fuzzer: noel-image-surku
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x62d00006c400
Crash State:
  blink::ImageDecoderWrapper::Decode
  blink::ImageFrameGenerator::DecodeAndScale
  blink::DecodingImageGenerator::GetPixels
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=598053:598056
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=599970:599972

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4647715886333952

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4647715886333952 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M71 merge review.

@govind - good for 71

Approving merge to M71 branch 3578 based on comment #17. Please merge ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ce1f45159deeccf414e863086b1d1a51c55c1a87

commit ce1f45159deeccf414e863086b1d1a51c55c1a87
Author: Reza.Zakerinasab <zakerinasab@chromium.org>
Date: Thu Nov 08 21:15:05 2018

Respect color type when copying pixels from scaled decoded image

TBR=fserb@chromium.org

Bug:  894673 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I81df01f11d97763281b0282288ba3c068071eff6
Reviewed-on: https://chromium-review.googlesource.com/c/1281240
Reviewed-by: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599972}(cherry picked from commit 65bc0fea4fd1b57c8262a60fe46aa38a7f463a5d)
Reviewed-on: https://chromium-review.googlesource.com/c/1327427
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#588}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}
[modify] https://crrev.com/ce1f45159deeccf414e863086b1d1a51c55c1a87/third_party/blink/renderer/platform/graphics/image_decoder_wrapper.cc

The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/ce1f45159deeccf414e863086b1d1a51c55c1a87

Commit: ce1f45159deeccf414e863086b1d1a51c55c1a87
Author: zakerinasab@chromium.org
Commiter: fserb@chromium.org
Date: 2018-11-08 21:15:05 +0000 UTC

Respect color type when copying pixels from scaled decoded image

TBR=fserb@chromium.org

Bug:  894673 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I81df01f11d97763281b0282288ba3c068071eff6
Reviewed-on: https://chromium-review.googlesource.com/c/1281240
Reviewed-by: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Commit-Queue: Mohammad Reza Zakerinasab <zakerinasab@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#599972}(cherry picked from commit 65bc0fea4fd1b57c8262a60fe46aa38a7f463a5d)
Reviewed-on: https://chromium-review.googlesource.com/c/1327427
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/branch-heads/3578@{#588}
Cr-Branched-From: 4226ddf99103e493d7afb23a4c7902ee496108b6-refs/heads/master@{#599034}

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot