New issue
Advanced search Search tips

Issue 121926 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware

Reported by attek...@gmail.com, Apr 4 2012

Issue description

repro-file as attachment

VERSION
Chrome Version: 20.0.1092.0 (Developer Build 130641) ASAN
Operating System: Ubuntu 11.04 x86_64

ASAN-report:

==28168== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f885f2102b4 at pc 0x7f8877238bf1 bp 0x7fff020044f0 sp 0x7fff020044e8
READ of size 1 at 0x7f885f2102b4 thread T0
    #0 0x7f8877238bf1 in WebCore::FEConvolveMatrix::platformApplySoftware() ???:0
    #1 0x7f8875387f93 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0
    #2 0x7f88750a9df0 in WebCore::SVGRenderingContext::~SVGRenderingContext() ???:0
    #3 0x7f88753fd1db in WebCore::RenderSVGContainer::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #4 0x7f88745b8367 in WebCore::RenderBox::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #5 0x7f887508a478 in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #6 0x7f887477504b in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #7 0x7f88746ba6b8 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #8 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #9 0x7f88746bb17e in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #10 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #11 0x7f88746b611d in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) ???:0
    #12 0x7f88740066a5 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #13 0x7f8873517a7c in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #14 0x7f8872b2e716 in WebKit::WebFrameImpl::paintWithContext(WebCore::GraphicsContext&, WebKit::WebRect const&) ???:0
    #15 0x7f8872b2ea5c in WebKit::WebFrameImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #16 0x7f8872b698a9 in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #17 0x7f8876568ed8 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) ???:0
    #18 0x7f887655ed40 in RenderWidget::DoDeferredUpdate() ???:0
    #19 0x7f88765622b5 in RenderWidget::OnUpdateRectAck() ???:0
    #20 0x7f88765608ec in RenderWidget::OnMessageReceived(IPC::Message const&) ???:0
    #21 0x7f8876512d92 in RenderViewImpl::OnMessageReceived(IPC::Message const&) ???:0
    #22 0x7f887266e749 in MessageRouter::RouteMessage(IPC::Message const&) ???:0
    #23 0x7f887266e5b0 in MessageRouter::OnMessageReceived(IPC::Message const&) ???:0
    #24 0x7f88725878d2 in ChildThread::OnMessageReceived(IPC::Message const&) ???:0
    #25 0x7f88712bfa13 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ???:0
    #26 0x7f88711ac171 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #27 0x7f88711ac916 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #28 0x7f88711adbfb in MessageLoop::DoWork() ???:0
    #29 0x7f88711b8207 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ???:0
    #30 0x7f88711aadde in MessageLoop::RunInternal() ???:0
    #31 0x7f88711a8fcf in MessageLoop::Run() ???:0
    #32 0x7f88765858ee in RendererMain(content::MainFunctionParams const&) ???:0
    #33 0x7f88710bcb62 in (anonymous namespace)::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:0
    #34 0x7f88710bb1ba in content::ContentMain(int, char const**, content::ContentMainDelegate*) ???:0
    #35 0x7f886fcb38c7 in ChromeMain ??:0
    #36 0x7f886fcb382b in main ???:0
    #37 0x7f8868e63eff in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x7f885f2102b4 is located 0 bytes to the right of 52-byte region [0x7f885f210280,0x7f885f2102b4)
allocated by thread T0 here:
    #0 0x7f88778ef782 in operator new[](unsigned long) ??:0
    #1 0x7f8872dfac76 in WTF::ByteArray::create(unsigned long) ???:0
    #2 0x7f88737b66c2 in WebCore::FilterEffect::asPremultipliedImage(WebCore::IntRect const&) ???:0
    #3 0x7f8877237573 in WebCore::FEConvolveMatrix::platformApplySoftware() ???:0
    #4 0x7f8875387f93 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0
    #5 0x7f88750a9df0 in WebCore::SVGRenderingContext::~SVGRenderingContext() ???:0
    #6 0x7f88753fd1db in WebCore::RenderSVGContainer::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #7 0x7f88745b8367 in WebCore::RenderBox::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #8 0x7f887508a478 in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #9 0x7f887477504b in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #10 0x7f88746ba6b8 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #11 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #12 0x7f88746bb17e in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #13 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #14 0x7f88746b611d in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) ???:0
    #15 0x7f88740066a5 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #16 0x7f8873517a7c in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #17 0x7f8872b2e716 in WebKit::WebFrameImpl::paintWithContext(WebCore::GraphicsContext&, WebKit::WebRect const&) ???:0
    #18 0x7f8872b2ea5c in WebKit::WebFrameImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #19 0x7f8872b698a9 in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #20 0x7f8876568ed8 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) ???:0
    #21 0x7f887655ed40 in RenderWidget::DoDeferredUpdate() ???:0
    #22 0x7f88765622b5 in RenderWidget::OnUpdateRectAck() ???:0
==28168== ABORTING
Stats: 3M malloced (6M for red zones) by 24596 calls
Stats: 0M realloced by 51 calls
Stats: 2M freed by 11338 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11270 full pages) mmaped in 11 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32;
  mallocs by size class: 8:21571; 9:1460; 10:1022; 11:343; 12:64; 13:28; 14:91; 15:7; 16:9; 17:1;
  frees   by size class: 8:9090; 9:1022; 10:862; 11:228; 12:33; 13:17; 14:80; 15:3; 16:3;
  rfrees  by size class:
Stats: malloc large: 1 small slow: 97
Shadow byte and word:
  0x1ff10be42056: 4
  0x1ff10be42050: 00 00 00 00 00 00 04 fb
More shadow bytes:
  0x1ff10be42030: 00 00 00 00 00 00 04 fb
  0x1ff10be42038: fb fb fb fb fb fb fb fb
  0x1ff10be42040: fa fa fa fa fa fa fa fa
  0x1ff10be42048: fa fa fa fa fa fa fa fa
=>0x1ff10be42050: 00 00 00 00 00 00 04 fb
  0x1ff10be42058: fb fb fb fb fb fb fb fb
  0x1ff10be42060: fa fa fa fa fa fa fa fa
  0x1ff10be42068: fa fa fa fa fa fa fa fa
  0x1ff10be42070: 00 00 04 fb fb fb fb fb

 
home-heap-buffer-overflow-8f0.svg
643 bytes View Download
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit OS-All SecSeverity-Medium SecImpacts-None
Status: Available
I hit an assert (Aw Snap) in non-ASAN build on ToT on Linux, FWIW. Doesn't seem to pop on 18.
Summary: Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35334708

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7ffc2e12d6b4
Crash State:
  - crash stack -
  WebCore::FEConvolveMatrix::platformApplySoftware
  WebCore::RenderSVGResourceFilter::postApplyResource
  WebCore::SVGRenderingContext::~SVGRenderingContext
  

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96LIXdSAHLvgZUoCSEUhruRvk06HV_Ck7HAnXYdlXwej3V1t-zxBmcNlbgY-o4mwlm56RGTbz3MDfRNoMw6TOY7i7Pj8aMQ1AMJc7EXu2p1o2dakteXK7PBMF_HB34ElVO9-RfaGlmKmOiVnbw2-HdG0DJkTQ
<svg xmlns="http://www.w3.org/2000/svg">

<filter id="f1">
  <feConvolveMatrix
   order="-3" kernelMatrix="0 1 0   1 1 1   0 1 0"/>
</filter>
<g filter="url(#f1)">
  <rect y="0" width="1" height="1">
Labels: -SecImpacts-None SecImpacts-Stable SecImpacts-Beta Mstone-18 Stability-AddressSanitizer
We need to be careful with the correct Milestone and Secimpacts label. ClusterFuzz helps a lot here, if it doesn't, we should just validate using asanified stable, beta builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
Cc: pdr@chromium.org
Labels: WebKit-SVG
Owner: schenney@chromium.org
Status: Assigned
Stephen Sir!, need your help with triage.

Comment 5 by attek...@gmail.com, Apr 19 2012

Any progress with this one?
On it now. You may have heard about the chaos in the office.

Comment 7 by jsc...@chromium.org, Apr 19 2012

I don't think attekett would be (since he's the external reporter). However, the security team is aware of that and the WebKit meet-up adding latency at the moment. So, thanks for still being on top of this stuff considering the circumstances.
Status: Started
Simple issue with invalid input values.

https://bugs.webkit.org/show_bug.cgi?id=84363
Status: Fixed
WebKit Committed r115316: <http://trac.webkit.org/changeset/115316>
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased

Comment 11 by kenrb@chromium.org, Apr 26 2012

Thanks Stephen.

Comment 12 by attek...@gmail.com, Apr 27 2012

Worth reward-topanel?
Labels: reward-topanel
Definitely!, dont worry if we dont add the tag early. We eventually do the reward nominations when we are closer to release.
Project Member

Comment 14 by ClusterFuzz, Apr 27 2012

ClusterFuzz has detected this issue as fixed in range 134140:134155.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35334708

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7ffc2e12d6b4
Crash State:
  - crash stack -
  WebCore::FEConvolveMatrix::platformApplySoftware
  WebCore::RenderSVGResourceFilter::postApplyResource
  WebCore::SVGRenderingContext::~SVGRenderingContext
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=134140:134155

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96LIXdSAHLvgZUoCSEUhruRvk06HV_Ck7HAnXYdlXwej3V1t-zxBmcNlbgY-o4mwlm56RGTbz3MDfRNoMw6TOY7i7Pj8aMQ1AMJc7EXu2p1o2dakteXK7PBMF_HB34ElVO9-RfaGlmKmOiVnbw2-HdG0DJkTQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Mstone-18 -Merge-Approved Mstone-20
We think it would be hard to recover the OOB content, so letting it roll into M20 seems sane.
Labels: -reward-topanel
Since we think it's hard to recover the OOB content, the panel didn't find this a rewardable issue, unfortunately. Let us know if you think there's an aspect to this bug that we may have missed.
Labels: CVE-2012-2820
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Mstone-20 -Stability-AddressSanitizer -WebKit-SVG Cr-Content M-20 Cr-Content-SVG Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Performance-Memory-AddressSanitizer Type-Bug-Security
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 27 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 28 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 29 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-SVG Cr-Blink-SVG
Project Member

Comment 30 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Labels: reward-topanel
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0
Labels: CVE_description-submitted

Sign in to add a comment