New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 602975 link

Starred by 0 users
Status: Fixed
Owner:
toyoshim@chromium.org
Closed: Apr 2016
Cc:
kcc@chromium.org
bcwh...@chromium.org
cmumford@chromium.org
msramek@chromium.org
ksakamoto@chromium.org
mmoroz@chromium.org
toyoshim@chromium.org
rsheeter@google.com
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in woff2::ConvertWOFF2ToTTF

Project Member Reported by ClusterFuzz, Apr 13 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4560969828663296

Fuzzer: meacer_chromebot_extensions
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  woff2::ConvertWOFF2ToTTF
  woff2::ConvertWOFF2ToTTF
  ots::OTSContext::Process
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=386531:386650

Minimized Testcase (30.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97RrFfRqZUZZLrTcBsK08JHT6V2gwT51e82oN3WB3u-mlrwNpoLCauwc7sk6yHuvODBF6aupNcXMX0xBDRC6MpgxPJ9FZ6vSYw1bWZz0zBotslglBSU1Kw_etFs48m2aom6PnuoWMGJcK9s-UTC-JYXDshxi8mFGmtm-AEgjcFmWRBAgIY

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Apr 13 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Owner: toyoshim@chromium.org
Project Member

Comment 2 by ClusterFuzz, Apr 13 2016

Status: Assigned (was: Available)

Comment 3 by tsepez@chromium.org, Apr 14 2016

Components: Blink>Fonts

Comment 4 by toyoshim@chromium.org, Apr 15 2016

Status: Started (was: Assigned)
I haven't succeeded to reproduce the error with my local build. Let me re-run it with 'Fixed' flag just in case. I'd look this next week again.

Comment 5 by toyoshim@chromium.org, Apr 18 2016 

I succeeded to reproduce this by using usual Msan local build with a simple page that uses WebFont. I will check some suspicious code that may cause this.

Comment 6 by toyoshim@chromium.org, Apr 18 2016 

A fix is now under review.

Comment 7 by toyoshim@chromium.org, Apr 19 2016

Cc: rsheeter@google.com
+rsheeter who reviews upstream change

Just in case, here is a log from the report link.
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f3191bc9d42 in ReadU16 third_party/woff2/src/buffer.h:106:14
    #1 0x7f3191bc9d42 in ReadS16 third_party/woff2/src/buffer.h:112
    #2 0x7f3191bc9d42 in ReconstructGlyf third_party/woff2/src/woff2_dec.cc:608
    #3 0x7f3191bc9d42 in ReconstructFont third_party/woff2/src/woff2_dec.cc:990
    #4 0x7f3191bc9d42 in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) third_party/woff2/src/woff2_dec.cc:1355
    #5 0x7f3191bb284a in woff2::ConvertWOFF2ToTTF(unsigned char*, unsigned long, unsigned char const*, unsigned long) third_party/woff2/src/woff2_dec.cc:1331:10
    #6 0x7f3191a4c5bc in ProcessWOFF2 third_party/ots/src/ots.cc:482:8
    #7 0x7f3191a4c5bc in ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long, unsigned int) third_party/ots/src/ots.cc:896
    #8 0x7f3190de4c6a in blink::OpenTypeSanitizer::sanitize() third_party/WebKit/Source/platform/fonts/opentype/OpenTypeSanitizer.cpp:96:15
    #9 0x7f3190dc3cb4 in blink::FontCustomPlatformData::create(blink::SharedBuffer*, WTF::String&) third_party/WebKit/Source/platform/fonts/FontCustomPlatformData.cpp:92:44
(snip)

  Uninitialized value was created by a heap allocation
    #0 0x7f316ac2f242 in operator new[](unsigned long)
    #1 0x7f3191bbd63d in ReconstructGlyf third_party/woff2/src/woff2_dec.cc:447:40
    #2 0x7f3191bbd63d in ReconstructFont third_party/woff2/src/woff2_dec.cc:990
    #3 0x7f3191bbd63d in woff2::ConvertWOFF2ToTTF(unsigned char const*, unsigned long, woff2::WOFF2Out*) third_party/woff2/src/woff2_dec.cc:1355
    #4 0x7f3191bb284a in woff2::ConvertWOFF2ToTTF(unsigned char*, unsigned long, unsigned char const*, unsigned long) third_party/woff2/src/woff2_dec.cc:1331:10
    #5 0x7f3191a4c5bc in ProcessWOFF2 third_party/ots/src/ots.cc:482:8
    #6 0x7f3191a4c5bc in ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long, unsigned int) third_party/ots/src/ots.cc:896
    #7 0x7f3190de4c6a in blink::OpenTypeSanitizer::sanitize() third_party/WebKit/Source/platform/fonts/opentype/OpenTypeSanitizer.cpp:96:15
    #8 0x7f3190dc3cb4 in blink::FontCustomPlatformData::create(blink::SharedBuffer*, WTF::String&) third_party/WebKit/Source/platform/fonts/FontCustomPlatformData.cpp:92:44
    #9 0x7f317cc786e2 in blink::FontResource::ensureCustomFontData() third_party/WebKit/Source/core/fetch/FontResource.cpp:141:26
(snip)

Comment 8 by toyoshim@chromium.org, Apr 20 2016 

 crbug.com/604649  was merged to this, but didn't appear here automatically.

Comment 9 by toyoshim@chromium.org, Apr 20 2016

Cc: bcwh...@chromium.org msramek@chromium.org ksakamoto@chromium.org toyoshim@chromium.org cmumford@chromium.org
CCing members who are in 604649
Project Member

Comment 10 by bugdroid1@chromium.org, Apr 20 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/988efed96ca86663c64ad8d93e779a3a1c2f1be2

commit 988efed96ca86663c64ad8d93e779a3a1c2f1be2
Author: toyoshim <toyoshim@chromium.org>
Date: Wed Apr 20 10:10:55 2016

WOFF2: avoid a Msan error use-of-uninitialized-value in woff2_dec.cc

Uninitialized buffer is read to obtain x_min value when n_contours
is zero, but read value isn't used for the case. So, this isn't
real issue at all, but to make the Msan bot feeling happy, fix
the logic not to read if n_contours is zero.

BUG= 602975 

Review URL: https://codereview.chromium.org/1895043002

Cr-Commit-Position: refs/heads/master@{#388459}

[modify] https://crrev.com/988efed96ca86663c64ad8d93e779a3a1c2f1be2/third_party/woff2/README.chromium
[modify] https://crrev.com/988efed96ca86663c64ad8d93e779a3a1c2f1be2/third_party/woff2/src/woff2_dec.cc
Project Member

Comment 12 by ClusterFuzz, Apr 20 2016 

ClusterFuzz has detected this issue as fixed in range 388458:388479.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4560969828663296

Fuzzer: meacer_chromebot_extensions
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  woff2::ConvertWOFF2ToTTF
  woff2::ConvertWOFF2ToTTF
  ots::OTSContext::Process
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=386531:386650
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=388458:388479

Minimized Testcase (30.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97RrFfRqZUZZLrTcBsK08JHT6V2gwT51e82oN3WB3u-mlrwNpoLCauwc7sk6yHuvODBF6aupNcXMX0xBDRC6MpgxPJ9FZ6vSYw1bWZz0zBotslglBSU1Kw_etFs48m2aom6PnuoWMGJcK9s-UTC-JYXDshxi8mFGmtm-AEgjcFmWRBAgIY

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 13 by toyoshim@chromium.org, Apr 21 2016

Status: Fixed (was: Started)
Glad to hear that. I was sorry for making bots red for long time.
Project Member

Comment 14 by ClusterFuzz, Apr 21 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 25 2016

Labels: merge-merged-2716
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/278873bbaf13b728fc2be5834067367ba45297dd

commit 278873bbaf13b728fc2be5834067367ba45297dd
Author: toyoshim <toyoshim@chromium.org>
Date: Mon Apr 25 07:58:44 2016

Update brotli from 722f89 (Feb 19, 2016) to 510131 (Apr 22, 2016)

This roll is needed to roll a newer version of woff2 that fixes a MSan error.

BUG= 602975 

Review URL: https://codereview.chromium.org/1915823002

Cr-Commit-Position: refs/heads/master@{#389426}

[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/README.chromium
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/bit_reader.h
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/decode.c
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/decode.h
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/huffman.c
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/huffman.h
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/port.h
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/state.c
[modify] https://crrev.com/278873bbaf13b728fc2be5834067367ba45297dd/third_party/brotli/dec/state.h
Project Member

Comment 19 by sheriffbot@chromium.org, Jul 28 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic
Project Member

Comment 23 by sheriffbot@chromium.org, Jul 28

Labels: Pri-2

Sign in to add a comment