New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 115471 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit 15 days ago
Closed: Feb 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Heap-buffer-overflow in SkAlphaRuns::add

Reported by aohe...@gmail.com, Feb 23 2012

Issue description

VULNERABILITY DETAILS
ASan reports a heap buffer overflow when the attached page is opened. The page has a valid SVG image in a div of specific size. The crash looks almost equal to  http://crbug.com/110172 , but it has already been fixed and didn't reproduce in either builds mentioned below.

VERSION
Chrome Version: 17.0.963.56 (stable), 19.0.1048.0 (dev)
Operating System: Linux (Debian 6.0.4, x86_64)

REPRODUCTION CASE
 Save both files to the same directory and open bof.html.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab (just bof)
Crash State:

Trace from 17.0.963.56:

==4254== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f3aabc5f0be at pc 0x7f3abce22a44 bp 0x7fff65f68a60 sp 0x7fff65f68a58
READ of size 2 at 0x7f3aabc5f0be thread T0
    #0 0x7f3abce22a44 in SkAlphaRuns::add(int, unsigned int, int, unsigned int, unsigned int, int) ???:0
0x7f3aabc5f0be is located 65474 bytes to the left of 98400-byte region [0x7f3aabc6f080,0x7f3aabc870e0)
allocated by thread T0 here:
    #0 0x7f3ac21b2d52 in malloc ??:0
    #1 0x7f3abce0c6e6 in sk_malloc_throw(unsigned long) ???:0
    #2 0x7f3abcd92d3d in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) ???:0
    #3 0x7f3abcd29ddb in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const ???:0
    #4 0x7f3abcd17c3f in SkCanvas::drawPath(SkPath const&, SkPaint const&) ???:0
    #5 0x7f3abee6b078 in WebCore::GraphicsContext::fillPath(WebCore::Path const&) ???:0
    #6 0x7f3ac0827b8d in WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0
==4254== ABORTING
Stats: 158M malloced (47M for red zones) by 20662 calls
Stats: 0M realloced by 194 calls
Stats: 2M freed by 12094 calls
Stats: 0M really freed by 0 calls
Stats: 244M (62473 full pages) mmaped in 14 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16; 22:1; 29:1;
  mallocs by size class: 8:17895; 9:1278; 10:946; 11:300; 12:87; 13:70; 14:56; 15:12; 16:12; 17:3; 18:1; 22:1; 29:1;
  frees   by size class: 8:10116; 9:831; 10:817; 11:175; 12:49; 13:49; 14:45; 15:6; 16:5; 18:1;
  rfrees  by size class:
Stats: malloc large: 6 small slow: 88
Shadow byte and word:
  0x1fe75578be17: fa
  0x1fe75578be10: fa fa fa fa fa fa fa fa
More shadow bytes:
  0x1fe75578bdf0: fa fa fa fa fa fa fa fa
  0x1fe75578bdf8: fa fa fa fa fa fa fa fa
  0x1fe75578be00: fa fa fa fa fa fa fa fa
  0x1fe75578be08: fa fa fa fa fa fa fa fa
=>0x1fe75578be10: fa fa fa fa fa fa fa fa
  0x1fe75578be18: fa fa fa fa fa fa fa fa
  0x1fe75578be20: fa fa fa fa fa fa fa fa
  0x1fe75578be28: fa fa fa fa fa fa fa fa
  0x1fe75578be30: fa fa fa fa fa fa fa fa

 
bof.html
80 bytes View Download
butterfly.svg
30.5 KB Download
Labels: -Restrict-View-SecurityTeam -Pri-0 -Area-Undefined Restrict-View-SecurityNotify Pri-1 Area-Internals SecSeverity-High OS-All Mstone-17 SecImpacts-Stable SecImpacts-Beta Merge-Approved Stability-AddressSanitizer
Owner: reed@chromium.org
Status: FixUnreleased
Comment 27 by reed@google.com, Today (4 hours ago)
fixed in skia rev. 3240, 3242
Labels: reward-topanel
Cc: epoger@chromium.org
Adding Elliot
Labels: -Merge-Approved Merge-Merged
Ok I found some old Skia creds and was able to hand-merge to 963a at r3298 and r3299
And merge to 1025 at r3300

Sorry if the style is not up to the standard of normal Skia branch merges but we were at an emergency deadline.
Cc: epoger@google.com

Comment 6 by epoger@google.com, Mar 2 2012

Hey, as long as the patch works, I'm in favor.

Process post-mortem, so we don't have a mad scramble next time... somehow this bug sat in the following state from Feb 23 until March 1:

Restrict-View-Se...tyNotify
Type-Security
Pri-1
Area-Internals
SecSeverity-High
OS-All
Mstone-17
SecImpacts-Stable
SecImpacts-Beta
Merge-Approved
Stability-Address...anitizer
reward-topanel

Why did it not get noticed until March 1?  Seems like it should have been on some high-priority watchlist, given the above labels.
Sorry about that. We generally queue up all the merging and do it in one big hit. We were tripped up by the fact that Skia merges are different, and also an unusually large merge list -- combined with the fact this merge was done last :)

The March 1st date was simply the date that we decided to crank through our pending merge list.
Labels: -reward-topanel reward-1000 reward-unpaid
Thanks for fuzzing drawing path commands, Aki, seems like a good area :)

$1000

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: CVE-2011-3033

Comment 10 by aohe...@gmail.com, Mar 3 2012

@scarybeasts Nice doing business with you again :)
Labels: -reward-unpaid

Comment 12 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 13 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-High -Mstone-17 -SecImpacts-Stable -SecImpacts-Beta -Stability-AddressSanitizer Security-Impact-Stable Cr-Internals Security-Severity-High Security-Impact-Beta Type-Bug-Security M-17 Performance-Memory-AddressSanitizer
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 22 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment