New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 122586 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Global-buffer-overflow in HB_TibetanShape

Reported by miau...@gmail.com, Apr 8 2012

Issue description

VULNERABILITY DETAILS
tibetan letter followed by tibetan cantillation sign heavy beat says global buffer overflow in asan

VERSION
Chrome Version: stable + dev

Chromium	20.0.1095.0 (Developer Build 131299)
OS	Linux
WebKit	536.6 (@113522)

Operating System: linux 64bit

REPRODUCTION CASE
data:text/html,ཀ࿀

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: renderer + asan
Crash State: 

==29058== ERROR: AddressSanitizer global-buffer-overflow on address 0x55555fbb6420 at pc 0x55555ce8a062 bp 0x7fffffff5730 sp 0x7fffffff5728
READ of size 1 at 0x55555fbb6420 thread T0
    #0 0x55555ce8a062 in HB_TibetanShape ???:0
    #1 0x55555ce896c8 in HB_ShapeItem ???:0
    #2 0x555559ea2c58 in WebCore::ComplexTextController::shapeGlyphs() ???:0

0x55555fbb6420 is located 0 bytes to the right of global variable 'tibetanForm (third_party/harfbuzz/src/harfbuzz-tibetan.c)' (0x55555fbb63a0) of size 128
  'tibetanForm (third_party/harfbuzz/src/harfbuzz-tibetan.c)' is ascii string '0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101'


 
stable-tibet.txt
6.6 KB Download
tibet.html
17 bytes View Download
tibet.txt
6.8 KB Download
Labels: -Area-Undefined Area-Internals
Does not repro for me on OS X, Chrome 18.0.1025.151. Will try Linux on Monday.
Chris, feel free to abuse the Clusterfuzz uploading interface https://cluster-fuzz.appspot.com/#uploadusertestcase :)

Comment 3 by palmer@google.com, Apr 9 2012

Summary: Global-buffer-overflow in HB_TibetanShape
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34743097

Uploader: palmer@chromium.org

Crash Type: Global-buffer-overflow READ 1
Crash Address: 0x7f147856c1c0
Crash State:
  - crash stack -
  HB_TibetanShape
  HB_ShapeItem
  WebCore::ComplexTextController::shapeGlyphs
  

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95TnOZa8yyqkxhTkcHVXRa-EuLul3cEPz3UlRChK44McnZ0qmrINwvBIqIoK216xbf0VTlMlKomQhv2yPK0DwwUvNbk0bAaeMJSx-1LVMBSufKYVGdGxLW2QFjyVERWTj3523n6aM20jaARX6gTmGjHiSWUaA
ཀ࿀
Labels: -Pri-0 Pri-2 SecImpacts-None SecSeverity-Medium OS-Linux Mstone-20
Status: Available
Labels: -SecImpacts-None -Mstone-20 SecImpacts-Stable Mstone-18 SecImpacts-Beta
Owner: bashi@chromium.org
Status: Assigned
The clusterfuzz report says it affects Stable, fixing tags.

Kenichi, can you please help to knock this harfbuzz bug.

Comment 6 by bashi@chromium.org, Apr 10 2012

It's my bad. My previous fix wasn't perfect:( I'm preparing the fix.

Comment 7 by bashi@chromium.org, Apr 10 2012

Cc: behdad@chromium.org
http://codereview.chromium.org/10024052/

behdad@ -- Could you consider merging the CL to the upstream? (I understand we shouldn't maintain old-harfbuzz actively, though)

Comment 8 by behdad@chromium.org, Apr 10 2012

Pushed upstream.

Comment 9 by bashi@chromium.org, Apr 10 2012

Cc: agl@chromium.org evan@chromium.org
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
http://src.chromium.org/viewvc/chrome?view=rev&revision=131694
Project Member

Comment 11 by ClusterFuzz, Apr 12 2012

ClusterFuzz has detected this issue as fixed in range 131693:131706.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=34743097

Uploader: palmer@chromium.org

Crash Type: Global-buffer-overflow READ 1
Crash Address: 0x7f147856c1c0
Crash State:
  - crash stack -
  HB_TibetanShape
  HB_ShapeItem
  WebCore::ComplexTextController::shapeGlyphs
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=131693:131706

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95TnOZa8yyqkxhTkcHVXRa-EuLul3cEPz3UlRChK44McnZ0qmrINwvBIqIoK216xbf0VTlMlKomQhv2yPK0DwwUvNbk0bAaeMJSx-1LVMBSufKYVGdGxLW2QFjyVERWTj3523n6aM20jaARX6gTmGjHiSWUaA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Thanks for the bug miaubiz. 

$0 because we don't believe any significant OOB content can be recovered. let us know if you disagree.
Labels: -Mstone-18 -Merge-Approved Mstone-19 Merge-Merged
M19: r134519

Labels: CVE-2011-3094

Comment 15 by cdn@chromium.org, May 15 2012

Status: Fixed
Updating status to Fixed on security bugs which were fixed when m19 went to stable.
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecImpacts-Stable -SecSeverity-Medium -Mstone-19 -SecImpacts-Beta Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium M-19 Cr-Internals Type-Bug-Security
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 24 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Labels: reward-topanel
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: -reward-topanel reward-0
per #12
Labels: CVE_description-submitted

Sign in to add a comment