Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Oct 2011
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
OOB read in SVG at WebCore::parseArcFlag
Reported by aohe...@gmail.com, Oct 19 2011 Back to list
VULNERABILITY DETAILS
Asan reports an OOB heap read when the attached SVG file is loaded. The error comes when reading data past the end of a string while parsing a path. I don't have asan builds for stable and beta (yet) so not sure if this affects them. No obvious security impact, but this might also affect beta/stable and the controllable string and possibly somewhat controllable data after it leave some room to play, so filing as a potential security bug.

VERSION
Chrome Version: 16.0.911.0 (Developer Build 105764)
Operating System: Linux (Debian 6.0.3, x86_64)

REPRODUCTION CASE
 $ chrome oobr.svg

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: 
Program received signal SIGILL, Illegal instruction.
0x00007ffff40faef2 in WebCore::parseArcFlag (ptr=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161
161         const UChar flagChar = *ptr++;
(gdb) list
156
157     // only used to parse largeArcFlag and sweepFlag which must be a "0" or "1"
158     // and might not have any whitespace/comma after it
159     bool parseArcFlag(const UChar*& ptr, const UChar* end, bool& flag)
160     {
161         const UChar flagChar = *ptr++;
162         if (flagChar == '0')
163             flag = false;
164         else if (flagChar == '1')
165             flag = true;
(gdb) bt 5
#0  0x00007ffff40faef2 in WebCore::parseArcFlag (ptr=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161
#1  0x00007ffff411ae9a in WebCore::SVGPathStringSource::parseArcToSegment (
    this=DWARF-2 expression error: DW_OP_reg operations must be used either alone or in conjuction with DW_OP_piece or DW_OP_bit_piece.
) at third_party/WebKit/Source/WebCore/svg/SVGPathStringSource.cpp:231
#2  0x00007ffff428ced5 in WebCore::SVGPathParser::parseArcToSegment (
    this=<optimized out>)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:246
#3  0x00007ffff428ecf9 in WebCore::SVGPathParser::parsePathDataFromSource (
    this=<optimized out>, pathParsingMode=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:359
#4  0x00007ffff411011a in WebCore::SVGPathParserFactory::buildSVGPathByteStreamFromString (this=<optimized out>, d=<optimized out>, result=Unhandled dwarf expression opcode 0x0
)
    at third_party/WebKit/Source/WebCore/svg/SVGPathParserFactory.cpp:238
(More stack frames follow...)


==25351== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f6a8a2a2bea at pc 0x7f6a9ec98ef2 bp 0x7fff91a620b0 sp 0x7fff91a61f98
[...]
READ of size 2 at 0x7f6a8a2a2bea thread T0
0x7f6a8a2a2bea is located 0 bytes to the right of 106-byte region [0x7f6a8a2a2b80,0x7f6a8a2a2bea)
 
oobr.svg
98 bytes View Download
Comment 1 by kcc@chromium.org, Oct 19 2011
Cc: infe...@chromium.org
Labels: -Area-Undefined Area-WebKit Stability-AddressSanitizer
Status: Available
Working as a symbolizer :) 


==24763== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f9a3894b5ea at pc 0x7f9a8b199dab bp 0x7f9a641dedc0 sp 0x7f9a641dedb8                                                           
READ of size 2 at 0x7f9a3894b5ea thread T16                                                                                                                                                         
    #0 0x7f9a8b199dab in WebCore::parseArcFlag third_party/WebKit/Source/WebCore/svg/SVGParserUtilities.cpp:161                                                                                     
    #1 0x7f9a8b1b73d2 in WebCore::SVGPathStringSource::parseArcToSegment third_party/WebKit/Source/WebCore/svg/SVGPathStringSource.cpp:231                                                          
    #2 0x7f9a8b30cd18 in WebCore::SVGPathParser::parseArcToSegment third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:246                                                                      
    #3 0x7f9a8b30e8a7 in WebCore::SVGPathParser::parsePathDataFromSource third_party/WebKit/Source/WebCore/svg/SVGPathParser.cpp:359                                                                
    #4 0x7f9a8b1ad4fd in WebCore::SVGPathParserFactory::buildSVGPathByteStreamFromString third_party/WebKit/Source/WebCore/svg/SVGPathParserFactory.cpp:238                                         
    #5 0x7f9a8b1a1a44 in WebCore::SVGPathElement::parseMappedAttribute third_party/WebKit/Source/WebCore/svg/SVGPathElement.cpp:227                                                                 
    #6 0x7f9a8c7f346f in WebCore::StyledElement::attributeChanged third_party/WebKit/Source/WebCore/dom/StyledElement.cpp:189                                                                       
    #7 0x7f9a8b0906e7 in WebCore::Node::getFlag const third_party/WebKit/Source/WebCore/dom/Node.h:654                                                                                              
    #8 0x7f9a8956d2b4 in WTF::RefPtr<WebCore::Attribute>::operator-> const third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:66                                                                 
    #9 0x7f9a89537745 in WebCore::Element::setAttribute third_party/WebKit/Source/WebCore/dom/Element.cpp:702                                                                                       
    #10 0x7f9a89549a77 in WebCore::Element::setAttributeNS third_party/WebKit/Source/WebCore/dom/Element.cpp:1526                                                                                   
    #11 0x7f9a8a2a5f79 in handleElementAttributes third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:728                                                                     
    #12 0x7f9a88d978c8 in xmlParseStartTag2 third_party/libxml/src/parser.c:9126                                                                                                                    
    #13 0x7f9a88da08a3 in xmlParseTryOrFinish third_party/libxml/src/parser.c:10847                                                                                                                 
    #14 0x7f9a88d9de70 in xmlParseChunk third_party/libxml/src/parser.c:11625                                                                                                                       
    #15 0x7f9a8a2a3963 in WebCore::XMLDocumentParser::doWrite third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:653                                                         
    #16 0x7f9a8a29d6a5 in WTF::RefPtr<WTF::StringImpl>::~RefPtr third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58                                                                            
    #17 0x7f9a8c7d784b in WTF::Deque<WebCore::SegmentedSubstring, 0ul>::~Deque third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370                                                             
    #18 0x7f9a8a01df1d in WebCore::DocumentLoader::commitData third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:317                                                                       
    #19 0x7f9a8914d816 in WebKit::FrameLoaderClientImpl::committedLoad third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1112                                                 
    #20 0x7f9a8a01db4b in WebCore::DocumentLoader::commitLoad third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:303                                                                       
    #21 0x7f9a8a0b29d4 in WebCore::ResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:291                                                                   
    #22 0x7f9a8a090d5a in WebCore::MainResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/MainResourceLoader.cpp:467                                                           
    #23 0x7f9a8a0b42a7 in WebCore::InspectorInstrumentation::hasFrontends third_party/WebKit/Source/WebCore/inspector/InspectorInstrumentation.h:198                                                
    #24 0x7f9a88ff8202 in ResourceDispatcher::OnReceivedData content/common/resource_dispatcher.cc:377                                                                                              
    #25 0x7f9a88ff7a26 in bool ResourceMsg_DataReceived::Dispatch<ResourceDispatcher, ResourceDispatcher, int, base::FileDescriptor, int, int> ./content/common/resource_messages.h:137    

0x7f9a3894b5ea is located 0 bytes to the right of 106-byte region [0x7f9a3894b580,0x7f9a3894b5ea)                                                                                                   
allocated by thread T16 here:                                                                                                                                                                       
    #0 0x7f9a8cc8ba7f in malloc _asan_rtl_                                                                                                                                                          
    #1 0x7f9a891cb68b in WTF::fastMalloc third_party/WebKit/Source/JavaScriptCore/wtf/FastMalloc.cpp:264                                                                                            
    #2 0x7f9a891e4b5f in WTF::StringImpl::createUninitialized third_party/WebKit/Source/JavaScriptCore/wtf/text/StringImpl.cpp:89                                                                   
    #3 0x7f9a891e0710 in WTF::HashAndUTF8CharactersTranslator::translate third_party/WebKit/Source/JavaScriptCore/wtf/text/AtomicString.cpp:202                                                     
    #4 0x7f9a891e01d5 in stringTable third_party/WebKit/Source/JavaScriptCore/wtf/HashSet.h:189                                                                                                     
    #5 0x7f9a8a2a59d2 in WTF::AtomicString::fromUTF8 third_party/WebKit/Source/JavaScriptCore/wtf/text/AtomicString.h:176                                                                           
    #6 0x7f9a88d978c8 in xmlParseStartTag2 third_party/libxml/src/parser.c:9126                                                                                                                     
    #7 0x7f9a88da08a3 in xmlParseTryOrFinish third_party/libxml/src/parser.c:10847                                                                                                                  
    #8 0x7f9a88d9de70 in xmlParseChunk third_party/libxml/src/parser.c:11625                                                                                                                        
    #9 0x7f9a8a2a3963 in WebCore::XMLDocumentParser::doWrite third_party/WebKit/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:653                                                          
    #10 0x7f9a8a29d6a5 in WTF::RefPtr<WTF::StringImpl>::~RefPtr third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58                                                                            
    #11 0x7f9a8c7d784b in WTF::Deque<WebCore::SegmentedSubstring, 0ul>::~Deque third_party/WebKit/Source/JavaScriptCore/wtf/Deque.h:370                                                             
    #12 0x7f9a8a01df1d in WebCore::DocumentLoader::commitData third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:317                                                                       
    #13 0x7f9a8914d816 in WebKit::FrameLoaderClientImpl::committedLoad third_party/WebKit/Source/WebKit/chromium/src/FrameLoaderClientImpl.cpp:1112                                                 
    #14 0x7f9a8a01db4b in WebCore::DocumentLoader::commitLoad third_party/WebKit/Source/WebCore/loader/DocumentLoader.cpp:303                                                                       
    #15 0x7f9a8a0b29d4 in WebCore::ResourceLoader::didReceiveData third_party/WebKit/Source/WebCore/loader/ResourceLoader.cpp:291                                                   



Comment 2 by tsepez@chromium.org, Oct 19 2011
Labels: Mstone-16 SecSeverity-Medium
Cc: -infe...@chromium.org
Labels: -Pri-0 Pri-1 OS-All
Comment 4 by laforge@google.com, Oct 24 2011
Labels: -Mstone-16 MovedFrom-16 Mstone-17
Comment 5 by jsc...@chromium.org, Oct 24 2011
Labels: -SecSeverity-Medium SecSeverity-Low
Owner: jsc...@chromium.org
Status: Started
Filed upstream: https://bugs.webkit.org/show_bug.cgi?id=70763

It's a trivial fix and I have a patch up for review. I'm bumping severity down to low because it's a one-character OOB read from which you can recover at most one bit of state (and I'm not certain that state is actually recoverable).

Comment 6 by jsc...@chromium.org, Oct 25 2011
Labels: -Pri-1 -MovedFrom-16 -Mstone-17 Pri-2 Merge-Approved Mstone-16
Status: FixUnreleased
Landed upstream: http://trac.webkit.org/changeset/98344

It should be a trivial merge, but the severity is so low I'm not sure it warrants it.
Comment 7 by jsc...@chromium.org, Oct 27 2011
Labels: -Restrict-View-SecurityTeam -Mstone-16 Restrict-View-SecurityNotify Mstone-15 SecImpacts-Beta SecImpacts-Stable
Labels: -Merge-Approved -Mstone-15 Merge-Merged Mstone-16
Might as well.
Merged to M16: http://trac.webkit.org/changeset/99025
Comment 9 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 10 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 11 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -Stability-AddressSanitizer -SecSeverity-Low -Mstone-16 -SecImpacts-Beta -SecImpacts-Stable Cr-Content Security-Severity-Low Security-Impact-Beta Performance-Memory-AddressSanitizer Security-Impact-Stable Type-Bug-Security M-16
Project Member Comment 12 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 13 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 18 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 19 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 20 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment