New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2013
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

ASSERTION FAILED: run.charactersLength() >= run.length(), Heap-buffer-overflow in WebCore::Font::characterRangeCodePath

Project Member Reported by aarya@google.com, Apr 20 2013

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=179368951

Fuzzer: Miaubiz_svg_fuzzer

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x600800117bf4
Crash State:
  - crash stack -
  WebCore::Font::characterRangeCodePath
  WebCore::Font::drawText
  WebCore::SVGInlineTextBox::paintTextWithShadows
  

Minimized Testcase (9.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947xLyZEJ_4hM7siGmxQipj5Vulne79FxkGujpHBd4IuWoDRXQpoQ7NW7rtgQBlQQV53p8S_SM3A3weIaCk2HN8ZGL1qsFXScc9I7zefiHkePJFItwB0lJmp5AoAEHJNVPWwgpCJhZeA0xG-jRyTjv_9cRMmBKWyvFBIaL11hD61BRI41M
 
Cc: pdr@chromium.org schenney@chromium.org miau...@gmail.com fmalita@chromium.org
Owner: schenney@chromium.org
Status: Assigned

Comment 3 Deleted

Ignore the last ClusterFuzz which says fixed in range "195296:195394". Looks like a bad build sneeked in [clang roll] and ASAN stopped working. Things look fine on trunk, so i clicked redo on ClusterFuzz reports.

Comment 5 Deleted

That's least minimized minimization possible. :-(

Debug assertion hits. Not surprising that it's a buffer read overflow.

ASSERTION FAILED: run.charactersLength() >= run.length()
../../third_party/WebKit/Source/core/rendering/svg/SVGInlineTextBox.cpp(450) : WebCore::TextRun WebCore::SVGInlineTextBox::constructTextRun(WebCore::RenderStyle *, const WebCore::SVGTextFragment &) const

Now I'll try to really minimize it.
Discovered during minimization: This will hit different asserts depending on which lines are added/removed. There may be more than one problem here.
This is another instance of two SVG roots in a single page, with a text-related element in the first root using a filter from the second, and layout leaving the first SVG root marked as needing layout but not laid out.

That is, https://code.google.com/p/chromium/issues/detail?id=231618

I suspect that the fix there does not fix things here do to the unicode characters in the text path.
cr233848-minimized.html
916 bytes View Download
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=180641586

Fuzzer: Miaubiz_svg_fuzzer

Crash Type: Heap-buffer-overflow READ 2
Crash Address: 0x6050002e4a9a
Crash State:
  - crash stack -
  WebCore::Font::characterRangeCodePath
  WebCore::Font::selectionRectForText
  WebCore::SVGInlineTextBox::selectionRectForTextFragment
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=116390:116434

Minimized Testcase (8.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960yWT48cx_p8JD01fu7Nj7Ti-cinzfRPHltqKsV77o0p73bebpjphGuaq0QNAoWo24myUnsKCFDJdRowCdKtdg7Wa9EQ-hxvWmR8qci1YFuOmVNITajR8lsWK0R2kbeSC64xdWouQBh98xOm62V9EK7aiN97kTyzMthnzbHan94x-Fuo4
Labels: Security-Code28
Please do read Mark's email titled "Calling a Code 28 for Security Bugs" on chrome-team mailing list.
Hey Stephen, are you still OK to own this one (in addition to https://code.google.com/p/chromium/issues/detail?id=231618) too?
I think I should still own it. I don't know who else would be willing to deal with it. I'm finishing up another task and then it's on to this.
Cc: le...@chromium.org
Status: Started
Patch up: https://codereview.chromium.org/15183002/

I am not sure that this fixes every issue with the "minimized" not so minimized test. Various attempts to minimize it led to different assertions and maybe some of those are still problems.
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
https://src.chromium.org/viewvc/blink?view=rev&revision=150456
Project Member

Comment 15 by bugdroid1@chromium.org, May 15 2013

The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=150456

------------------------------------------------------------------------
r150456 | schenney@chromium.org | 2013-05-15T22:41:19.026846Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/svg/SVGInlineTextBox.cpp?r1=150456&r2=150455&pathrev=150456
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/svg/SVGRootInlineBox.h?r1=150456&r2=150455&pathrev=150456
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/custom/unicode-in-tspan-multi-svg-crash-expected.txt?r1=150456&r2=150455&pathrev=150456
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/svg/SVGInlineTextBox.h?r1=150456&r2=150455&pathrev=150456
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/custom/unicode-in-tspan-multi-svg-crash.html?r1=150456&r2=150455&pathrev=150456

Clear SVGInlineTextBox fragments when the text changes.

This patch modifies SVGInlineTextBox::dirtyLineBoxes to clear all
following text boxes when invoked. Typically this method is called
when the underlying text string changes, and that change needs to
be propagated to all the boxes that use the text beyond the point
where the text is first modified.

Also cleans up virtual, OVERRIDE and FINAL for SVGRootInlineBox, which was all messed up.

R=inferno@chromium.org,leviw@chromium.org
BUG= 233848 

Review URL: https://chromiumcodereview.appspot.com/15183002
------------------------------------------------------------------------
Labels: -M-26 -Merge-Approved M-28 Merge-Merged Release-0
Since this is Medium, we can let it hit M28.
M28: r151288
Labels: reward-500 reward-unpaid
$500 for this one!

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties.
*********************************
Labels: -reward-topanel
Labels: CVE-2013-2875
Labels: External-Fuzzer-Contribution
Labels: -reward-unpaid reward-inprocess
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member

Comment 23 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment