Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 330420 ASSERTION FAILED: m_stateStack.size() == 1, Heap-use-after-free in WebCore::ScrollView::paint
Starred by 1 user Reported by attek...@gmail.com, Dec 21, 2013 Back to list
Status: Fixed
Owner: schenney@chromium.org
Closed: Jan 2014
Components:
OS: All
Pri: 1
Type: Bug-Security


Sign in to add a comment


Tested on:

OS: Ubuntu 12.04

Chromium: ASAN 33.0.1738.0 (Developer Build 240534)


Repro-file as attachment. 

Note: The file content is actually a SVG-file, but you have to have file-extension .html to reproduce the issue. If you rename the file with .svg extension Chrome only reports syntax-error when the file is opened.

ASAN-report:

==8060==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000067280 at pc 0x7fc6fabe5872 bp 0x7fffa6cdeb40 sp 0x7fffa6cdeb38
READ of size 8 at 0x616000067280 thread T0 (chrome)
    #0 0x7fc6fabe5871 in WebCore::GraphicsContext::paintingDisabled() const /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.h:88:0
    #1 0x7fc6fb055ea2 in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/scroll/ScrollView.cpp:878:0
    #2 0x7fc6fca198b6 in WebCore::SVGImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, blink::WebBlendMode) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/svg/graphics/SVGImage.cpp:264:0
    #3 0x7fc6fafa68d1 in WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, blink::WebBlendMode, WebCore::RespectImageOrientationEnum, bool) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp:1107:0
    #4 0x7fc6fafa658b in WebCore::GraphicsContext::drawImage(WebCore::Image*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::CompositeOperator, WebCore::RespectImageOrientationEnum, bool) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp:1086:0
    #5 0x7fc6fca337d1 in WebCore::RenderSVGImage::paintForeground(WebCore::PaintInfo&) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/svg/RenderSVGImage.cpp:171:0
.
.
.
0x616000067280 is located 0 bytes inside of 592-byte region [0x616000067280,0x6160000674d0)
freed by thread T0 (chrome) here:
    #0 0x7fc6f7a3bbe9 in __interceptor_free _asan_rtl_:0
    #1 0x7fc6fafdd9a1 in WTF::OwnPtr<WebCore::GraphicsContext>::~OwnPtr() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/OwnPtr.h:62:0
    #2 0x7fc6fafd9411 in WebCore::ImageBuffer::~ImageBuffer() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/ImageBuffer.cpp:87:0
    #3 0x7fc6fafabd65 in WTF::OwnedPtrDeleter<WebCore::ImageBuffer>::deletePtr(WebCore::ImageBuffer*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/OwnPtrCommon.h:52:0
    #4 0x7fc6fca33e26 in WebCore::RenderSVGImage::imageChanged(void*, WebCore::IntRect const*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/rendering/svg/RenderSVGImage.cpp:219:0
    #5 0x7fc6fbebe90a in WebCore::ImageResource::notifyObservers(WebCore::IntRect const*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/ImageResource.cpp:270:0
.
.
.

 
chrome-heap-use-after-free-WebCoreGraphicsContextpaintingDisabled10-min.html
501 bytes View Download
Project Member Comment 1 by clusterf...@chromium.org, Dec 21, 2013
Labels: Cr-Blink-Rendering
Project Member Comment 2 by clusterf...@chromium.org, Dec 23, 2013
ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=6483245877166080
Project Member Comment 3 by clusterf...@chromium.org, Dec 23, 2013
Summary: ASSERTION FAILED: m_stateStack.size() == 1, Heap-use-after-free in WebCore::ScrollView::paint (was: Heap-use-after-free in WebCore::GraphicsContext::paintingDisabled )
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ


Project Member Comment 4 by clusterf...@chromium.org, Dec 23, 2013
Labels: Stability-Memory-AddressSanitizer Security_Impact-None
Status: Available
Comment 5 by meacer@chromium.org, Dec 24, 2013
Labels: Security_Severity-High Cr-Blink-SVG Pri-1 OS-All
Comment 6 by meacer@chromium.org, Dec 24, 2013
Owner: schenney@chromium.org
@schenney: Could you take a look or find an owner? Thanks.
Comment 7 by meacer@chromium.org, Dec 24, 2013
Labels: M-33
Project Member Comment 8 by clusterf...@chromium.org, Dec 24, 2013
Labels: ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Project Member Comment 9 by clusterf...@chromium.org, Jan 1, 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ


Project Member Comment 10 by clusterf...@chromium.org, Jan 1, 2014
Labels: Nag
Status: Assigned
schenney@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 11 by clusterf...@chromium.org, Jan 6, 2014
ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=4527480241127424
The last report was upload on windows jobs to see if we can get any better regression range.
Labels: -Security_Impact-None -M-33 Security_Impact-Beta Security_Impact-Stable
As per https://cluster-fuzz.appspot.com/testcase?key=4527480241127424, this bug is old.
Patch is up. It's probably due to pdr's patch to enable buffered rendering of SVG images. It's a simple fix but I need his review. https://codereview.chromium.org/109753004/
Labels: -Nag WIP
Status: Started
Thanks Stephen. Adding WIP, so that you don't get any more nags.
Project Member Comment 16 by clusterf...@chromium.org, Jan 6, 2014
Labels: M-31
Project Member Comment 17 by bugdroid1@chromium.org, Jan 7, 2014
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=164536

------------------------------------------------------------------------
r164536 | schenney@chromium.org | 2014-01-07T00:39:12.598162Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint-expected.html?r1=164536&r2=164535&pathrev=164536
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint.html?r1=164536&r2=164535&pathrev=164536
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/rendering/svg/RenderSVGImage.cpp?r1=164536&r2=164535&pathrev=164536

Avoid drawing SVG image content when the image is of zero size.

R=pdr
BUG= 330420 

Review URL: https://codereview.chromium.org/109753004
------------------------------------------------------------------------
Labels: -M-31
Project Member Comment 19 by clusterf...@chromium.org, Jan 7, 2014
Labels: M-31
Status: Fixed
Project Member Comment 21 by bugdroid1@chromium.org, Jan 8, 2014
Labels: Merge-TBD
Is there a merge required here?
Labels: -WIP -M-31 -Merge-TBD M-32 Merge-Requested
Yes
Labels: M-33
In future, for security bugs, you can wait for CF sheriffbot to update bug. It will automatically put all the milestone labels and Merge-Triage. Basically we want to make sure all milestone labels exist, and also fix gets some bake time. 
Comment 24 by laforge@google.com, Jan 8, 2014
Labels: -Merge-Requested Merge-Approved
Project Member Comment 25 by clusterf...@chromium.org, Jan 8, 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 26 by clusterf...@chromium.org, Jan 9, 2014
ClusterFuzz has detected this issue as fixed in range 243511:243516.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6483245877166080

Uploader: meacer@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000008480
Crash State:
  - crash stack -
  WebCore::ScrollView::paint
  WebCore::SVGImage::draw
  - free stack -
  WebCore::ImageBuffer::~ImageBuffer
  WebCore::RenderSVGImage::imageChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=238209:238239
Fixed: https://cluster-fuzz.appspot.com/revisions?range=243511:243516

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95y_euLk8Iszqv05cgfH9hKSc3vHXh-8ukMck0YFQFBQB2dPgMQVo78EZNM0424q3AVU-uddkN-Tr_rxPLoEQypORohfwhm0kpsDPqHI03aQfqJng8ev93E8aeNNWDqDKGCNTdnnK3cp3r9881t6c3X8TCWiQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member Comment 27 by bugdroid1@chromium.org, Jan 9, 2014
Labels: -Merge-Approved merge-merged-1750
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=164792

------------------------------------------------------------------------
r164792 | schenney@chromium.org | 2014-01-09T18:23:27.050921Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/branches/chromium/1750/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint-expected.html?r1=164792&r2=164791&pathrev=164792
   A http://src.chromium.org/viewvc/blink/branches/chromium/1750/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint.html?r1=164792&r2=164791&pathrev=164792
   M http://src.chromium.org/viewvc/blink/branches/chromium/1750/Source/core/rendering/svg/RenderSVGImage.cpp?r1=164792&r2=164791&pathrev=164792

Merge 164536 "Avoid drawing SVG image content when the image is ..."

> Avoid drawing SVG image content when the image is of zero size.
> 
> R=pdr
> BUG= 330420 
> 
> Review URL: https://codereview.chromium.org/109753004

TBR=schenney@chromium.org

Review URL: https://codereview.chromium.org/131973005
------------------------------------------------------------------------
Comment 28 by dharani@google.com, Jan 16, 2014
Labels: -M-33 Merge-Requested
Requesting merge for M32.
Comment 29 by infe...@chromium.org, Jan 16, 2014
Labels: reward-topanel
Comment 30 by kareng@google.com, Jan 17, 2014
Labels: -Merge-Requested Merge-Approved
Project Member Comment 31 by bugdroid1@chromium.org, Jan 17, 2014
Labels: -Merge-Approved merge-merged-1700
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=165329

------------------------------------------------------------------------
r165329 | schenney@chromium.org | 2014-01-17T19:52:26.401086Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/branches/chromium/1700/Source/core/rendering/svg/RenderSVGImage.cpp?r1=165329&r2=165328&pathrev=165329
   A http://src.chromium.org/viewvc/blink/branches/chromium/1700/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint-expected.html?r1=165329&r2=165328&pathrev=165329
   A http://src.chromium.org/viewvc/blink/branches/chromium/1700/LayoutTests/svg/as-image/zero-size-buffered-image-nopaint.html?r1=165329&r2=165328&pathrev=165329

Merge 164536 "Avoid drawing SVG image content when the image is ..."

> Avoid drawing SVG image content when the image is of zero size.
> 
> R=pdr
> BUG= 330420 
> 
> Review URL: https://codereview.chromium.org/109753004

TBR=schenney@chromium.org

Review URL: https://codereview.chromium.org/140783011
------------------------------------------------------------------------
Comment 32 by dharani@google.com, Jan 22, 2014
Labels: Release-1-M32
Comment 33 by dharani@google.com, Jan 22, 2014
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Comment 34 by dharani@google.com, Jan 23, 2014
Labels: CVE-2013-6649
Labels: -reward-topanel reward-unpaid reward-1000
Thanks for the report! This one qualifies for a $1000 reward. It does not seem like there is control between the free and use in this case.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Labels: reward-paid
Project Member Comment 39 by clusterf...@chromium.org, Apr 16, 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Comment 40 by laforge@google.com, Jan 9, 2015
Labels: -Cr-Blink-Rendering Cr-Blink-Layout
Migrate from Cr-Blink-Rendering to Cr-Blink-Layout
Project Member Comment 41 by clusterf...@chromium.org, Feb 2, 2016
Labels: -Security_Impact-Beta
Sign in to add a comment