Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in CopyAlphaChannelIntoVideoFrame
Reported by
attek...@gmail.com,
Apr 24 2016
|
||||||||||||||||||||||
Issue description
Tested on:
OS: Ubuntu 14.04
Chromium: asan-symbolized-linux-release-389396
Repro-file:
<html>
<head>
<script type='text/javascript'>
function boom() {
var gl = canvas.getContext('experimental-webgl');
video.srcObject = canvas.captureStream(0);
}
</script>
</head>
<body onload='boom();'>
<video id='video' width='-602569' height='256'></video>
<canvas id='canvas' width='256' height='257'></canvas>
ASAN-trace:
==10336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff04ad9bc03 at pc 0x55ea817465f3 bp 0x7ffc6bbab050 sp 0x7ffc6bbab048
READ of size 1 at 0x7ff04ad9bc03 thread T0 (chrome)
#0 0x55ea817465f2 in (anonymous namespace)::CopyAlphaChannelIntoVideoFrame(unsigned char const*, scoped_refptr<media::VideoFrame> const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:34
#1 0x55ea81745667 in CreateNewFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:261 (discriminator 1)
#2 0x55ea7c08722b in notifyListenersCanvasChanged /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp:421 (discriminator 1)
#3 0x55ea7b0fd2ac in callInternal<0> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:318 (discriminator 2)
#4 0x55ea7b0fcffa in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::CrossThreadWeakPersistentThisPointer<blink::WebGLRenderingContextBase>&&>, WTF::FunctionWrapper<void (blink::WebGLRenderingContextBase::*)()>>::operator()() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:309
#5 0x55ea85734684 in prepareMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp:251 (discriminator 1)
#6 0x55ea81cde959 in PrepareTextureMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/blink/web_external_texture_layer_impl.cc:74
#7 0x55ea843893cc in Update /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/layers/texture_layer.cc:208
#8 0x55ea8446412e in DoUpdateLayers /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/layer_tree_host.cc:1027 (discriminator 1)
#9 0x55ea84463847 in cc::LayerTreeHost::UpdateLayers() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/layer_tree_host.cc:901 (discriminator 2)
#10 0x55ea84539446 in BeginMainFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/trees/proxy_main.cc:207 (discriminator 1)
.
.
.
0x7ff04ad9bc03 is located 3 bytes to the right of 263168-byte region [0x7ff04ad5b800,0x7ff04ad9bc00)
allocated by thread T0 (chrome) here:
#0 0x55ea7571d48b in operator new(unsigned long) ??:?
#1 0x55ea75bde912 in __allocate /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../buildtools/third_party/libc++/trunk/include/new:168
#2 0x55ea75bde56b in __append /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../buildtools/third_party/libc++/trunk/include/vector:1039 (discriminator 4)
#3 0x55ea8174526b in CreateNewFrame /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/media/canvas_capture_handler.cc:228
#4 0x55ea7c08722b in notifyListenersCanvasChanged /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp:421 (discriminator 1)
#5 0x55ea7b0fd2ac in callInternal<0> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:318 (discriminator 2)
#6 0x55ea7b0fcffa in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::CrossThreadWeakPersistentThisPointer<blink::WebGLRenderingContextBase>&&>, WTF::FunctionWrapper<void (blink::WebGLRenderingContextBase::*)()>>::operator()() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/Functional.h:309
#7 0x55ea85734684 in prepareMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp:251 (discriminator 1)
#8 0x55ea81cde959 in PrepareTextureMailbox /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../cc/blink/web_external_texture_layer_impl.cc:74
.
.
.
,
Apr 25 2016
,
Apr 25 2016
,
Apr 25 2016
,
Apr 25 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5359497547087872 Uploader: mbarbella@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x7f2e7f0dbc03 Crash State: content::CanvasCaptureHandler::CreateNewFrame blink::HTMLCanvasElement::notifyListenersCanvasChanged blink::DrawingBuffer::prepareMailbox Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94l7X-qyBPdRIuTKqUlDlH0kv8cP1Lq6QSLgAMPUtldHU8K1-9kMPh9OVsyiIGwOiiExwprye0aSKuJyA23SADAdO5fSA4EeFmLpzjTKWHJbYeCrV-IdXDPz9vRSBKyLIQElJGa_FD-gQHWR1RkMTI4PmJ3Qw <script> function boom() { var gl = canvas.getContext('experimental-webgl'); video.srcObject = canvas.captureStream(); } </script> <body onload='boom();'<video id='video'></video> <canvas id='canvas' width='256' height='257'> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2016
,
Apr 25 2016
,
Apr 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21 commit e0dd9f840b3a21cd12bd3d83f5ca63302549dd21 Author: emircan <emircan@chromium.org> Date: Tue Apr 26 21:37:52 2016 Fix odd size and visible rect issues in CanvasCaptureHandler This CL addresses odd size frame problems found by fuzz tests. BUG= 606185 TEST=Minimized fuzz test case now passes. Also added unit tests. Review URL: https://codereview.chromium.org/1918073003 Cr-Commit-Position: refs/heads/master@{#389899} [modify] https://crrev.com/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21/content/renderer/media/canvas_capture_handler.cc [modify] https://crrev.com/e0dd9f840b3a21cd12bd3d83f5ca63302549dd21/content/renderer/media/canvas_capture_handler_unittest.cc
,
Apr 26 2016
,
Apr 27 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Apr 28 2016
ClusterFuzz has detected this issue as fixed in range 389884:390115. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5359497547087872 Uploader: mbarbella@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x7f2e7f0dbc03 Crash State: content::CanvasCaptureHandler::CreateNewFrame blink::HTMLCanvasElement::notifyListenersCanvasChanged blink::DrawingBuffer::prepareMailbox Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=389884:390115 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94l7X-qyBPdRIuTKqUlDlH0kv8cP1Lq6QSLgAMPUtldHU8K1-9kMPh9OVsyiIGwOiiExwprye0aSKuJyA23SADAdO5fSA4EeFmLpzjTKWHJbYeCrV-IdXDPz9vRSBKyLIQElJGa_FD-gQHWR1RkMTI4PmJ3Qw <script> function boom() { var gl = canvas.getContext('experimental-webgl'); video.srcObject = canvas.captureStream(); } </script> <body onload='boom();'<video id='video'></video> <canvas id='canvas' width='256' height='257'> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 29 2016
Issue 608055 has been merged into this issue.
,
May 9 2016
,
May 9 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8618a80561b51f948a49998beaa0489d64da896e commit 8618a80561b51f948a49998beaa0489d64da896e Author: emircan <emircan@chromium.org> Date: Tue May 10 17:19:26 2016 Fix odd size and visible rect issues in CanvasCaptureHandler This CL addresses odd size frame problems found by fuzz tests. BUG= 606185 TEST=Minimized fuzz test case now passes. Also added unit tests. Review URL: https://codereview.chromium.org/1918073003 Cr-Commit-Position: refs/heads/master@{#389899} (cherry picked from commit e0dd9f840b3a21cd12bd3d83f5ca63302549dd21) NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/1962993002 Cr-Commit-Position: refs/branch-heads/2704@{#476} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/8618a80561b51f948a49998beaa0489d64da896e/content/renderer/media/canvas_capture_handler.cc [modify] https://crrev.com/8618a80561b51f948a49998beaa0489d64da896e/content/renderer/media/canvas_capture_handler_unittest.cc
,
May 24 2016
,
May 26 2016
Atte - $1,000 for this report. Congrats :) CVE-ID is CVE-2016-1689.
,
Jul 1 2016
,
Aug 3 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 25 2016