New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

OOB read in SVG at WebCore::parseArcFlag

Reported by aohe...@gmail.com, Oct 19 2011

Issue description

VULNERABILITY DETAILS
Asan reports an OOB heap read when the attached SVG file is loaded. The error comes when reading data past the end of a string while parsing a path. I don't have asan builds for stable and beta (yet) so not sure if this affects them. No obvious security impact, but this might also affect beta/stable and the controllable string and possibly somewhat controllable data after it leave some room to play, so filing as a potential security bug.

VERSION
Chrome Version: 16.0.911.0 (Developer Build 105764)
Operating System: Linux (Debian 6.0.3, x86_64)

REPRODUCTION CASE
 $ chrome oobr.svg

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
Program received signal SIGILL, Illegal instruction.
0x00007ffff40faef2 in WebCore::parseArcFlag (ptr=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161
161         const UChar flagChar = *ptr++;
(gdb) list
156
157     // only used to parse largeArcFlag and sweepFlag which must be a "0" or "1"
158     // and might not have any whitespace/comma after it
159     bool parseArcFlag(const UChar*& ptr, const UChar* end, bool& flag)
160     {
161         const UChar flagChar = *ptr++;
162         if (flagChar == '0')
163             flag = false;
164         else if (flagChar == '1')
165             flag = true;
(gdb) bt 5
#0  0x00007ffff40faef2 in WebCore::parseArcFlag (ptr=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161
#1  0x00007ffff411ae9a in WebCore::SVGPathStringSource::parseArcToSegment (
    this=DWARF-2 expression error: DW_OP_reg operations must be used either alone or in conjuction with DW_OP_piece or DW_OP_bit_piece.
) at third_party/WebKit/Source/WebCore/svg/SVGPathStringSource.cpp:231
#2  0x00007ffff428ced5 in WebCore::SVGPathParser::parseArcToSegment (
    this=<optimized out>)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:246
#3  0x00007ffff428ecf9 in WebCore::SVGPathParser::parsePathDataFromSource (
    this=<optimized out>, pathParsingMode=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:359
#4  0x00007ffff411011a in WebCore::SVGPathParserFactory::buildSVGPathByteStreamFromString (this=<optimized out>, d=<optimized out>, result=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParserFactory.cpp:238
(More stack frames follow...)


==25351== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f6a8a2a2bea at pc 0x7f6a9ec98ef2 bp 0x7fff91a620b0 sp 0x7fff91a61f98
[...]
READ of size 2 at 0x7f6a8a2a2bea thread T0
0x7f6a8a2a2bea is located 0 bytes to the right of 106-byte region [0x7f6a8a2a2b80,0x7f6a8a2a2bea)
 
oobr.svg
98 bytes View Download

Comment 1 by kcc@chromium.org, Oct 19 2011

Cc: infe...@chromium.org
Labels: -Area-Undefined Area-WebKit Stability-AddressSanitizer
Status: Available
Working as a symbolizer :) 


==24763== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f9a3894b5ea at pc 0x7f9a8b199dab bp 0x7f9a641dedc0 sp 0x7f9a641dedb8                                                           
READ of size 2 at 0x7f9a3894b5ea thread T16                                                                                                                                                         
    #0 0x7f9a8b199dab in WebCore::parseArcFlag third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161                                                                                     
    #1 0x7f9a8b1b73d2 in WebCore::SVGPathStringSource::parseArcToSegment third_party/WebKit/Source/WebCore/svg/SVGPathStringSource.cpp:231                                                          
    #2 0x7f9a8b30cd18 in WebCore::SVGPathParser::parseArcToSegment third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:246                                                                      
    #3 0x7f9a8b30e8a7 in WebCore::SVGPathParser::parsePathDataFromSource third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:359                                                                
    #4 0x7f9a8b1ad4fd in WebCore::SVGPathParserFactory::buildSVGPathByteStreamFromString third_party/WebKit/Source/WebCore/svg/SVGPathParserFactory.cpp:238                                         
    #5 0x7f9a8b1a1a44 in WebCore::SVGPathElement::parseMappedAttribute third_party/WebKit/Source/WebCore/svg/SVGPathElement.cpp:227                                                                 
    #6 0x7f9a8c7f346f in WebCore::StyledElement::attributeChanged third_party/WebKit/Source/WebCore/dom/StyledElement.cpp:189                                                                       
    #7 0x7f9a8b0906e7 in WebCore::Node::getFlag const third_party/WebKit/Source/WebCore/dom/Node.h:654                                                                                              
    #8 0x7f9a8956d2b4 in WTF::RefPtr<WebCore::Attribute>::operator-> const third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:66                                                                 
    #9 0x7f9a89537745 in WebCore::Element::setAttribute third_party/WebKit/Source/WebCore/dom/Element.cpp:702                                                                                       
    #10 0x7f9a89549a77 in WebCore::Element::setAttributeNS third_party/WebKit/Source/WebCore/dom/Element.cpp:1526                                                                                   
    #11 0x7f9a8a2a5f79 in handleElementAttributes third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:728                                                                     
    #12 0x7f9a88d978c8 in xmlParseStartTag2 third_party/libxml/src/parser.c:9126                                                                                                                    
    #13 0x7f9a88da08a3 in xmlParseTryOrFinish third_party/libxml/src/parser.c:10847                                                                                                                 
    #14 0x7f9a88d9de70 in xmlParseChunk third_party/libxml/src/parser.c:11625                                                                                                                       
    #15 0x7f9a8a2a3963 in WebCore::XMLDocumentParser::doWrite third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:653                                                         
    #16 0x7f9a8a29d6a5 in WTF::RefPtr<WTF::StringImpl>::~RefPtr third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58                                                                            
    #17 0x7f9a8c7d784b in WTF::Deque<WebCore::SegmentedSubstring, 0ul>::~Deque third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370                                                             
    #18 0x7f9a8a01df1d in WebCore::DocumentLoader::commitData third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:317                                                                       
    #19 0x7f9a8914d816 in WebKit::FrameLoaderClientImpl::committedLoad third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1112                                                 
    #20 0x7f9a8a01db4b in WebCore::DocumentLoader::commitLoad third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:303                                                                       
    #21 0x7f9a8a0b29d4 in WebCore::ResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:291                                                                   
    #22 0x7f9a8a090d5a in WebCore::MainResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:467                                                           
    #23 0x7f9a8a0b42a7 in WebCore::InspectorInstrumentation::hasFrontends third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:198                                                
    #24 0x7f9a88ff8202 in ResourceDispatcher::OnReceivedData content/common/resource_dispatcher.cc:377                                                                                              
    #25 0x7f9a88ff7a26 in bool ResourceMsg_DataReceived::Dispatch<ResourceDispatcher, ResourceDispatcher, int, base::FileDescriptor, int, int> ./content/common/resource_messages.h:137    

0x7f9a3894b5ea is located 0 bytes to the right of 106-byte region [0x7f9a3894b580,0x7f9a3894b5ea)                                                                                                   
allocated by thread T16 here:                                                                                                                                                                       
    #0 0x7f9a8cc8ba7f in malloc _asan_rtl_                                                                                                                                                          
    #1 0x7f9a891cb68b in WTF::fastMalloc third_party/WebKit/Source/JavaScriptCore/wtf/FastMalloc.cpp:264                                                                                            
    #2 0x7f9a891e4b5f in WTF::StringImpl::createUninitialized third_party/WebKit/Source/JavaScriptCore/wtf/text/StringImpl.cpp:89                                                                   
    #3 0x7f9a891e0710 in WTF::HashAndUTF8CharactersTranslator::translate third_party/WebKit/Source/JavaScriptCore/wtf/text/AtomicString.cpp:202                                                     
    #4 0x7f9a891e01d5 in stringTable third_party/WebKit/Source/JavaScriptCore/wtf/HashSet.h:189                                                                                                     
    #5 0x7f9a8a2a59d2 in WTF::AtomicString::fromUTF8 third_party/WebKit/Source/JavaScriptCore/wtf/text/AtomicString.h:176                                                                           
    #6 0x7f9a88d978c8 in xmlParseStartTag2 third_party/libxml/src/parser.c:9126                                                                                                                     
    #7 0x7f9a88da08a3 in xmlParseTryOrFinish third_party/libxml/src/parser.c:10847                                                                                                                  
    #8 0x7f9a88d9de70 in xmlParseChunk third_party/libxml/src/parser.c:11625                                                                                                                        
    #9 0x7f9a8a2a3963 in WebCore::XMLDocumentParser::doWrite third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:653                                                          
    #10 0x7f9a8a29d6a5 in WTF::RefPtr<WTF::StringImpl>::~RefPtr third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58                                                                            
    #11 0x7f9a8c7d784b in WTF::Deque<WebCore::SegmentedSubstring, 0ul>::~Deque third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370                                                             
    #12 0x7f9a8a01df1d in WebCore::DocumentLoader::commitData third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:317                                                                       
    #13 0x7f9a8914d816 in WebKit::FrameLoaderClientImpl::committedLoad third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1112                                                 
    #14 0x7f9a8a01db4b in WebCore::DocumentLoader::commitLoad third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:303                                                                       
    #15 0x7f9a8a0b29d4 in WebCore::ResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:291                                                   



Comment 2 by tsepez@chromium.org, Oct 19 2011

Labels: Mstone-16 SecSeverity-Medium
Cc: -infe...@chromium.org
Labels: -Pri-0 Pri-1 OS-All

Comment 4 by laforge@google.com, Oct 24 2011

Labels: -Mstone-16 MovedFrom-16 Mstone-17

Comment 5 by jsc...@chromium.org, Oct 24 2011

Labels: -SecSeverity-Medium SecSeverity-Low
Owner: jsc...@chromium.org
Status: Started
Filed upstream: https://bugs.webkit.org/show_bug.cgi?id=70763

It's a trivial fix and I have a patch up for review. I'm bumping severity down to low because it's a one-character OOB read from which you can recover at most one bit of state (and I'm not certain that state is actually recoverable).

Comment 6 by jsc...@chromium.org, Oct 25 2011

Labels: -Pri-1 -MovedFrom-16 -Mstone-17 Pri-2 Merge-Approved Mstone-16
Status: FixUnreleased
Landed upstream: http://trac.webkit.org/changeset/98344

It should be a trivial merge, but the severity is so low I'm not sure it warrants it.

Comment 7 by jsc...@chromium.org, Oct 27 2011

Labels: -Restrict-View-SecurityTeam -Mstone-16 Restrict-View-SecurityNotify Mstone-15 SecImpacts-Beta SecImpacts-Stable
Labels: -Merge-Approved -Mstone-15 Merge-Merged Mstone-16
Might as well.
Merged to M16: http://trac.webkit.org/changeset/99025

Comment 9 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 10 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Stability-AddressSanitizer -SecSeverity-Low -Mstone-16 -SecImpacts-Beta -SecImpacts-Stable Cr-Content Security-Severity-Low Security-Impact-Beta Performance-Memory-AddressSanitizer Security-Impact-Stable Type-Bug-Security M-16
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment