New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 151449 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in cc::CCKeyframedTransformAnimationCurve::getValue

Project Member Reported by infe...@chromium.org, Sep 21 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=112684939

Fuzzer: Inferno_layout_test_fuzzer

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f25a7b3c990
Crash State:
  - crash stack -
  cc::CCKeyframedTransformAnimationCurve::getValue
  cc::CCLayerAnimationController::tickAnimations
  cc::CCLayerAnimationController::animate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=156820:156996

Minimized Testcase (0.50 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95rqWcStevSKTFPIQ_dMk4rwxh-gbtm1nraZJjVz-QpRbooS3nA9jpoDKVp5caqYTQoBtOO5UAS5QqhoRWsG9Exk_rzuIq0MisRJkllyd5uEbLyVFZ-FoLDpGTq47POrs1go0l1iMdr-PIcdDQHI0Cd3d_9jjqFBd6R7Xnzjf5ymyTuh8A
<style>
    .box {
     }
    
    .spinning {

 -webkit-animation: spin -4500000000s infinite linear;     }
    
    @-webkit-keyframes spin {

      to   { -webkit-transform: rotate(360deg); }
</style>
  
><script>
    function doTest()
    {
      box.addEventListener('webkitAnimationStart', function() {
        if (window.testRunner) {
        }
      }, false);
      document.getElementById('box').className = 'spinning';
    }

    window.addEventListener('load', doTest, false);
  </script>
<div id="box">
 
Cc: vollick@chromium.org jam...@chromium.org
Owner: enne@chromium.org
Status: Assigned
Adrienne, can you please help to triage this. Looks like you and James have been playing in this area as per trac :)

Comment 2 by jam...@chromium.org, Sep 21 2012

Cc: enne@chromium.org
Owner: vollick@chromium.org
This is Ian's code.
Ian, this might not be a regression, but might have uncovered from like skia roll or something. Please do triage it and let us know if it is not a regression and affects m22. We are very close to Pwnium and need to make sure to uptake this in next week beta (only if it affects m22).
I think I've got a handle on this one and am very close to a fix. It looks like we're not handling zero duration animations gracefully.
Labels: -SecImpacts-None -Mstone-23 SecImpacts-Stable Mstone-22 SecImpacts-Beta
Ian confirmed that this bug has existed a long time. We will definitely merge this, looks like a simple to hit integer underflow in animations.
Project Member

Comment 6 by ClusterFuzz, Sep 23 2012

ClusterFuzz has detected this issue as fixed in range 158017:158179.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=112684939

Fuzzer: Inferno_layout_test_fuzzer

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x7f25a7b3c990
Crash State:
  - crash stack -
  cc::CCKeyframedTransformAnimationCurve::getValue
  cc::CCLayerAnimationController::tickAnimations
  cc::CCLayerAnimationController::animate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=156820:156996
Fixed: https://cluster-fuzz.appspot.com/revisions?range=158017:158179

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rqWcStevSKTFPIQ_dMk4rwxh-gbtm1nraZJjVz-QpRbooS3nA9jpoDKVp5caqYTQoBtOO5UAS5QqhoRWsG9Exk_rzuIq0MisRJkllyd5uEbLyVFZ-FoLDpGTq47POrs1go0l1iMdr-PIcdDQHI0Cd3d_9jjqFBd6R7Xnzjf5ymyTuh8A

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
looks like you forgot http://src.chromium.org/viewvc/chrome?view=rev&revision=158092 in the changelog. so, bug didnt get updated. nw.

Can you please create the custom fix for the m22 branch. As we discussed, looks like the 1 line change needs to go in the webkit file (which is now on chromium side in trunk).
@inferno: what's this mentionof a "custom fix"? This won't merge as-is?
Yes, this code existed in webkit and not in chromium. In this case, we are just going to put the 2 line fix in the webkit file and not worry about merging tests. I did chat with Ian. Ian, were you able to merge directly to webkit chromium branch ?

Comment 10 by k...@google.com, Sep 24 2012

If this is merged, please update the labels.
Labels: -Merge-Approved Merge-Merged
Yes, it's been committed to the M22 webkit branch.
Labels: -Merge-Merged Merge-Approved
Back to Merge-Approved so we can check it was merged to M23 as well.

M22 was: http://trac.webkit.org/changeset/129436
Labels: -Merge-Approved Merge-Merged
@scarybeasts - https://src.chromium.org/viewvc/chrome?view=rev&revision=158491 was m23
Labels: CVE-2012-5110
Status: Fixed
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-WebKit -Type-Security -SecSeverity-Medium -SecImpacts-Stable -Mstone-22 -Stability-AddressSanitizer -SecImpacts-Beta Cr-Content Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Type-Bug-Security M-22 Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 22 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 23 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment