New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 638573 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

[sfntly] AddressSanitizer: heap-buffer-overflow on address 0x60200000ee74

Reported by marcin.t...@gmail.com, Aug 17 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2824.0 Safari/537.36

Steps to reproduce the problem:
URL:https://github.com/googlei18n/sfntly
Compiled 17.08.16 14:00

1. run ./subtly_debug subtly-heap-buffer-overflow.tmp
2. Crash

What is the expected behavior?

What went wrong?
=================================================================
==25214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee74 at pc 0x0000005b30b2 bp 0x7ffdc96d5550 sp 0x7ffdc96d5548
WRITE of size 4 at 0x60200000ee74 thread T0
    #0 0x5b30b1 in subtly::FontAssembler::AssembleGlyphAndLocaTables() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b30b1)
    #1 0x5aeee5 in subtly::FontAssembler::Assemble() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5aeee5)
    #2 0x5a3b5d in subtly::Subsetter::Subset() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5a3b5d)
    #3 0x59e1e0 in main (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59e1e0)
    #4 0x7fb5c4bb9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #5 0x4d07c5 in _start (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x4d07c5)

0x60200000ee74 is located 0 bytes to the right of 4-byte region [0x60200000ee70,0x60200000ee74)
allocated by thread T0 here:
    #0 0x59ba0b in operator new(unsigned long) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59ba0b)
    #1 0x5c0091 in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5c0091)
    #2 0x5bf744 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5bf744)
    #3 0x5be61d in std::vector<int, std::allocator<int> >::_M_insert_aux(__gnu_cxx::__normal_iterator<int*, std::vector<int, std::allocator<int> > >, int const&) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5be61d)
    #4 0x5b5dd5 in std::vector<int, std::allocator<int> >::push_back(int const&) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b5dd5)
    #5 0x5b1f66 in subtly::FontAssembler::AssembleGlyphAndLocaTables() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b1f66)
    #6 0x5aeee5 in subtly::FontAssembler::Assemble() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5aeee5)
    #7 0x5a3b5d in subtly::Subsetter::Subset() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5a3b5d)
    #8 0x59e1e0 in main (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59e1e0)
    #9 0x7fb5c4bb9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b30b1) in subtly::FontAssembler::AssembleGlyphAndLocaTables()
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa[04]fa
  0x0c047fff9dd0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa 00 04 fa fa fd fd
  0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25214==ABORTING

Did this work before? N/A 

Chrome version: 54.0.2824.0  Channel: stable
OS Version: 14.04
Flash Version:
 
subtly-heap-buffer-overflow.tmp
77.7 KB Download
Owner: arthurhsu@chromium.org
arthurhsu@, could you help triage this bug? Thanks!
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 18 2016

Status: Assigned (was: Unconfirmed)
Cc: arthurhsu@chromium.org
Owner: vandebo@chromium.org
+vandebo@chromium.org, could you take a look at this one since arthurhsu@ is OOO?

Really appreciate if you can help triage this issue. Thanks! 
Cc: vandebo@chromium.org halcanary@chromium.org
Owner: thestig@chromium.org
Lei or Hal probably know who best to take a look.
Cc: behdad@chromium.org
+behdad FYI. I'll take a look early next week.
Labels: Security_Impact-Head Security_Severity-Medium
Could anyone add a component id?
Components: Internals>Skia>PDF
Cc: jialiul@chromium.org
jialiul: BTW, since subtly::FontAssembler::AssembleGlyphAndLocaTables() is not built into Chromium at all, should this labels be adjusted? e.g. Security_Impact-None?
Cc: -behdad@chromium.org thestig@chromium.org
Owner: behdad@chromium.org
behdad: Any chance you can take care of committing this to the sfntly repo? The overhead for me to do the same is a bit high.
subtly.diff
739 bytes Download
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Via-Wizard -Security_Severity-Medium -Security_Impact-Head Type-Bug
thestig@, thanks for this info. I'll label it as regular bug then. 
Cc: -thestig@chromium.org behdad@chromium.org
Owner: thestig@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 13 by bugdroid1@chromium.org, Oct 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0c0e20baae5cfc32465e84d0e56a82ab874788e9

commit 0c0e20baae5cfc32465e84d0e56a82ab874788e9
Author: thestig <thestig@chromium.org>
Date: Tue Oct 25 01:05:52 2016

Roll DEPS for sfntly 1ef790a..e33ba7a

https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a

e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug
1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort.
d651349 Check for negative size in NameTable::NameAsBytes.
8475d2f Avoid NULL derefs inside FontHeaderTable::Builder.
1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong.
083b02b Fix NULL pointer derefs in sfntly::Font::Builder.
6d1efaa Fix out of bound access in subtly sample program.
cafc4c8 Merge pull request #59 from HalCanary/pronounciation
7d5169e README: pronounciation guide

BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 
TBR=behdad@chromium.org

Review-Url: https://codereview.chromium.org/2444123002
Cr-Commit-Position: refs/heads/master@{#427203}

[modify] https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9/DEPS

Status: Fixed (was: Started)
Project Member

Comment 15 by bugdroid1@chromium.org, Oct 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/00b023067c9a330d2041c81871b2804591522416

commit 00b023067c9a330d2041c81871b2804591522416
Author: thestig <thestig@chromium.org>
Date: Tue Oct 25 07:26:30 2016

Revert of Roll DEPS for sfntly 1ef790a..e33ba7a (patchset #1 id:1 of https://codereview.chromium.org/2444123002/ )

Reason for revert:
Broke some font rendering.

e.g.  https://crbug.com/659006 

Original issue's description:
> Roll DEPS for sfntly 1ef790a..e33ba7a
>
> https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a
>
> e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug
> 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort.
> d651349 Check for negative size in NameTable::NameAsBytes.
> 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder.
> 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong.
> 083b02b Fix NULL pointer derefs in sfntly::Font::Builder.
> 6d1efaa Fix out of bound access in subtly sample program.
> cafc4c8 Merge pull request #59 from HalCanary/pronounciation
> 7d5169e README: pronounciation guide
>
> BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 
> TBR=behdad@chromium.org
>
> Committed: https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9
> Cr-Commit-Position: refs/heads/master@{#427203}

TBR=behdad@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 

Review-Url: https://codereview.chromium.org/2445303002
Cr-Commit-Position: refs/heads/master@{#427296}

[modify] https://crrev.com/00b023067c9a330d2041c81871b2804591522416/DEPS

Status: Started (was: Fixed)
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 26 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7ac63a352e7556a68224284af29db855b400a679

commit 7ac63a352e7556a68224284af29db855b400a679
Author: thestig <thestig@chromium.org>
Date: Wed Oct 26 21:42:15 2016

Roll DEPS for sfntly 1ef790a..6e98497

6e98497 Merge pull request #61 from leizleiz/leizleiz-tablefix
ebaa364 Fix breakage from commit 083b02b1.
e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug
1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort.
d651349 Check for negative size in NameTable::NameAsBytes.
8475d2f Avoid NULL derefs inside FontHeaderTable::Builder.
1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong.
083b02b Fix NULL pointer derefs in sfntly::Font::Builder.
6d1efaa Fix out of bound access in subtly sample program.
cafc4c8 Merge pull request #59 from HalCanary/pronounciation
7d5169e README: pronounciation guide

BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 , 659006 
TBR=behdad@chromium.org

Review-Url: https://codereview.chromium.org/2452873003
Cr-Commit-Position: refs/heads/master@{#427819}

[modify] https://crrev.com/7ac63a352e7556a68224284af29db855b400a679/DEPS

Status: Fixed (was: Started)

Sign in to add a comment