New issue
Advanced search Search tips

Issue 330420 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2014
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

ASSERTION FAILED: m_stateStack.size() == 1, Heap-use-after-free in WebCore::ScrollView::paint

Reported by attek...@gmail.com, Dec 21 2013

Issue description



Tested on:

OS: Ubuntu 12.04

Chromium: ASAN 33.0.1738.0 (Developer Build 240534)


Repro-file as attachment. 

Note: The file content is actually a SVG-file, but you have to have file-extension .html to reproduce the issue. If you rename the file with .svg extension Chrome only reports syntax-error when the file is opened.

ASAN-report:

==8060==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000067280 at pc 0x7fc6fabe5872 bp 0x7fffa6cdeb40 sp 0x7fffa6cdeb38
READ of size 8 at 0x616000067280 thread T0 (chrome)
    #0 0x7fc6fabe5871 in WebCore::GraphicsContext::paintingDisabled() const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.h:88:0
    #1 0x7fc6fb055ea2 in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/scroll/ScrollView.cpp:878:0
    #2 0x7fc6fca198b6 in WebCore::SVGImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, blink::WebBlendMode) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp:264:0
    #3 0x7fc6fafa68d1 in WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, blink::WebBlendMode, WebCore::RespectImageOrientationEnum, bool) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp:1107:0
    #4 0x7fc6fafa658b in WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, WebCore::RespectImageOrientationEnum, bool) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp:1086:0
    #5 0x7fc6fca337d1 in WebCore::RenderSVGImage::paintForeground(WebCore::PaintInfo&) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/svg/RenderSVGImage.cpp:171:0
.
.
.
0x616000067280 is located 0 bytes inside of 592-byte region [0x616000067280,0x6160000674d0)
freed by thread T0 (chrome) here:
    #0 0x7fc6f7a3bbe9 in __interceptor_free _asan_rtl_:0
    #1 0x7fc6fafdd9a1 in WTF::OwnPtr<WebCore::GraphicsContext>::~OwnPtr() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/OwnPtr.h:62:0
    #2 0x7fc6fafd9411 in WebCore::ImageBuffer::~ImageBuffer() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/ImageBuffer.cpp:87:0
    #3 0x7fc6fafabd65 in WTF::OwnedPtrDeleter<WebCore::ImageBuffer>::deletePtr(WebCore::ImageBuffer*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/OwnPtrCommon.h:52:0
    #4 0x7fc6fca33e26 in WebCore::RenderSVGImage::imageChanged(void*, WebCore::IntRect const*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/svg/RenderSVGImage.cpp:219:0
    #5 0x7fc6fbebe90a in WebCore::ImageResource::notifyObservers(WebCore::IntRect const*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/ImageResource.cpp:270:0
.
.
.

 
chrome-heap-use-after-free-WebCoreGraphicsContextpaintingDisabled10-min.html
501 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Dec 21 2013

Labels: Cr-Blink-Rendering
Project Member

Comment 2 by ClusterFuzz, Dec 23 2013

ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=6483245877166080
Project Member

Comment 3 by ClusterFuzz, Dec 23 2013

Summary: ASSERTION FAILED: m_stateStack.size() == 1, Heap-use-after-free in WebCore::ScrollView::paint (was: Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled )
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ


Project Member

Comment 4 by ClusterFuzz, Dec 23 2013

Labels: Stability-Memory-AddressSanitizer Security_Impact-None
Status: Available

Comment 5 by mea...@chromium.org, Dec 24 2013

Labels: Security_Severity-High Cr-Blink-SVG Pri-1 OS-All

Comment 6 by mea...@chromium.org, Dec 24 2013

Owner: schenney@chromium.org
@schenney: Could you take a look or find an owner? Thanks.

Comment 7 by mea...@chromium.org, Dec 24 2013

Labels: M-33
Project Member

Comment 8 by ClusterFuzz, Dec 24 2013

Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Project Member

Comment 9 by ClusterFuzz, Jan 1 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ


Project Member

Comment 10 by ClusterFuzz, Jan 1 2014

Labels: Nag
Status: Assigned
schenney@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 11 by ClusterFuzz, Jan 6 2014

ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=4527480241127424
The last report was upload on windows jobs to see if we can get any better regression range.
Labels: -Security_Impact-None -M-33 Security_Impact-Beta Security_Impact-Stable
As per https://cluster-fuzz.appspot.com/testcase?key=4527480241127424, this bug is old.
Patch is up. It's probably due to pdr's patch to enable buffered rendering of SVG images. It's a simple fix but I need his review. https://codereview.chromium.org/109753004/
Labels: -Nag WIP
Status: Started
Thanks Stephen. Adding WIP, so that you don't get any more nags.
Project Member

Comment 16 by ClusterFuzz, Jan 6 2014

Labels: M-31
Labels: -M-31
Project Member

Comment 19 by ClusterFuzz, Jan 7 2014

Labels: M-31
Status: Fixed
Project Member

Comment 21 by bugdroid1@chromium.org, Jan 8 2014

Labels: Merge-TBD
Is there a merge required here?
Labels: -WIP -M-31 -Merge-TBD M-32 Merge-Requested
Yes
Labels: M-33
In future, for security bugs, you can wait for CF sheriffbot to update bug. It will automatically put all the milestone labels and Merge-Triage. Basically we want to make sure all milestone labels exist, and also fix gets some bake time. 
Labels: -Merge-Requested Merge-Approved
Project Member

Comment 25 by ClusterFuzz, Jan 8 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 26 by ClusterFuzz, Jan 9 2014

ClusterFuzz has detected this issue as fixed in range 243511:243516.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239
Fixed: https://cluster-fuzz.appspot.com/revisions?range=243511:243516

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 27 by bugdroid1@chromium.org, Jan 9 2014

Labels: -Merge-Approved merge-merged-1750
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=164792

------------------------------------------------------------------------
r164792 | schenney@chromium.org | 2014-01-09T18:23:27.050921Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/1750/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint-expected.html?r1=164792&r2=164791&pathrev=164792
   A http://src.chromium.org/viewvc/blink/branches/chromium/1750/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint.html?r1=164792&r2=164791&pathrev=164792
   M http://src.chromium.org/viewvc/blink/branches/chromium/1750/Source/core/rendering/svg/RenderSVGImage.cpp?r1=164792&r2=164791&pathrev=164792

Merge 164536 "Avoid drawing SVG image content when the image is ..."

> Avoid drawing SVG image content when the image is of zero size.
> 
> R=pdr
> BUG= 330420 
> 
> Review URL: https://codereview.chromium.org/109753004

TBR=schenney@chromium.org

Review URL: https://codereview.chromium.org/131973005
------------------------------------------------------------------------

Comment 28 by dharani@google.com, Jan 16 2014

Labels: -M-33 Merge-Requested
Requesting merge for M32.
Labels: reward-topanel

Comment 30 by kareng@google.com, Jan 17 2014

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 31 by bugdroid1@chromium.org, Jan 17 2014

Labels: -Merge-Approved merge-merged-1700
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165329

------------------------------------------------------------------------
r165329 | schenney@chromium.org | 2014-01-17T19:52:26.401086Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1700/Source/core/rendering/svg/RenderSVGImage.cpp?r1=165329&r2=165328&pathrev=165329
   A http://src.chromium.org/viewvc/blink/branches/chromium/1700/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint-expected.html?r1=165329&r2=165328&pathrev=165329
   A http://src.chromium.org/viewvc/blink/branches/chromium/1700/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint.html?r1=165329&r2=165328&pathrev=165329

Merge 164536 "Avoid drawing SVG image content when the image is ..."

> Avoid drawing SVG image content when the image is of zero size.
> 
> R=pdr
> BUG= 330420 
> 
> Review URL: https://codereview.chromium.org/109753004

TBR=schenney@chromium.org

Review URL: https://codereview.chromium.org/140783011
------------------------------------------------------------------------

Comment 32 by dharani@google.com, Jan 22 2014

Labels: Release-1-M32

Comment 33 by dharani@google.com, Jan 22 2014

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable

Comment 34 by dharani@google.com, Jan 23 2014

Labels: CVE-2013-6649
Labels: -reward-topanel reward-unpaid reward-1000
Thanks for the report! This one qualifies for a $1000 reward. It does not seem like there is control between the free and use in this case.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Labels: reward-paid
Project Member

Comment 39 by ClusterFuzz, Apr 16 2014

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -Cr-Blink-Rendering Cr-Blink-Layout
Migrate from Cr-Blink-Rendering to Cr-Blink-Layout
Project Member

Comment 41 by ClusterFuzz, Feb 2 2016

Labels: -Security_Impact-Beta
Project Member

Comment 42 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 43 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment