[sfntly] AddressSanitizer: heap-buffer-overflow on address 0x60200000ee74
Reported by
marcin.t...@gmail.com,
Aug 17 2016
|
|||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2824.0 Safari/537.36 Steps to reproduce the problem: URL:https://github.com/googlei18n/sfntly Compiled 17.08.16 14:00 1. run ./subtly_debug subtly-heap-buffer-overflow.tmp 2. Crash What is the expected behavior? What went wrong? ================================================================= ==25214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee74 at pc 0x0000005b30b2 bp 0x7ffdc96d5550 sp 0x7ffdc96d5548 WRITE of size 4 at 0x60200000ee74 thread T0 #0 0x5b30b1 in subtly::FontAssembler::AssembleGlyphAndLocaTables() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b30b1) #1 0x5aeee5 in subtly::FontAssembler::Assemble() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5aeee5) #2 0x5a3b5d in subtly::Subsetter::Subset() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5a3b5d) #3 0x59e1e0 in main (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59e1e0) #4 0x7fb5c4bb9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #5 0x4d07c5 in _start (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x4d07c5) 0x60200000ee74 is located 0 bytes to the right of 4-byte region [0x60200000ee70,0x60200000ee74) allocated by thread T0 here: #0 0x59ba0b in operator new(unsigned long) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59ba0b) #1 0x5c0091 in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5c0091) #2 0x5bf744 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5bf744) #3 0x5be61d in std::vector<int, std::allocator<int> >::_M_insert_aux(__gnu_cxx::__normal_iterator<int*, std::vector<int, std::allocator<int> > >, int const&) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5be61d) #4 0x5b5dd5 in std::vector<int, std::allocator<int> >::push_back(int const&) (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b5dd5) #5 0x5b1f66 in subtly::FontAssembler::AssembleGlyphAndLocaTables() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b1f66) #6 0x5aeee5 in subtly::FontAssembler::Assemble() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5aeee5) #7 0x5a3b5d in subtly::Subsetter::Subset() (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5a3b5d) #8 0x59e1e0 in main (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x59e1e0) #9 0x7fb5c4bb9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow (/media/Fuzzing/Targets/sfntly/cpp/bin/subtly_debug+0x5b30b1) in subtly::FontAssembler::AssembleGlyphAndLocaTables() Shadow bytes around the buggy address: 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa[04]fa 0x0c047fff9dd0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa 00 04 fa fa fd fd 0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==25214==ABORTING Did this work before? N/A Chrome version: 54.0.2824.0 Channel: stable OS Version: 14.04 Flash Version:
,
Aug 18 2016
,
Aug 19 2016
+vandebo@chromium.org, could you take a look at this one since arthurhsu@ is OOO? Really appreciate if you can help triage this issue. Thanks!
,
Aug 19 2016
Lei or Hal probably know who best to take a look.
,
Aug 19 2016
+behdad FYI. I'll take a look early next week.
,
Aug 19 2016
Could anyone add a component id?
,
Aug 19 2016
,
Aug 20 2016
jialiul: BTW, since subtly::FontAssembler::AssembleGlyphAndLocaTables() is not built into Chromium at all, should this labels be adjusted? e.g. Security_Impact-None?
,
Aug 20 2016
behdad: Any chance you can take care of committing this to the sfntly repo? The overhead for me to do the same is a bit high.
,
Aug 20 2016
thestig@, thanks for this info. I'll label it as regular bug then.
,
Sep 9 2016
,
Oct 19 2016
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0c0e20baae5cfc32465e84d0e56a82ab874788e9 commit 0c0e20baae5cfc32465e84d0e56a82ab874788e9 Author: thestig <thestig@chromium.org> Date: Tue Oct 25 01:05:52 2016 Roll DEPS for sfntly 1ef790a..e33ba7a https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. d651349 Check for negative size in NameTable::NameAsBytes. 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. 6d1efaa Fix out of bound access in subtly sample program. cafc4c8 Merge pull request #59 from HalCanary/pronounciation 7d5169e README: pronounciation guide BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 TBR=behdad@chromium.org Review-Url: https://codereview.chromium.org/2444123002 Cr-Commit-Position: refs/heads/master@{#427203} [modify] https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9/DEPS
,
Oct 25 2016
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00b023067c9a330d2041c81871b2804591522416 commit 00b023067c9a330d2041c81871b2804591522416 Author: thestig <thestig@chromium.org> Date: Tue Oct 25 07:26:30 2016 Revert of Roll DEPS for sfntly 1ef790a..e33ba7a (patchset #1 id:1 of https://codereview.chromium.org/2444123002/ ) Reason for revert: Broke some font rendering. e.g. https://crbug.com/659006 Original issue's description: > Roll DEPS for sfntly 1ef790a..e33ba7a > > https://chromium.googlesource.com/external/github.com/googlei18n/sfntly/+log/1ef790a..e33ba7a > > e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug > 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. > d651349 Check for negative size in NameTable::NameAsBytes. > 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. > 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. > 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. > 6d1efaa Fix out of bound access in subtly sample program. > cafc4c8 Merge pull request #59 from HalCanary/pronounciation > 7d5169e README: pronounciation guide > > BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 > TBR=behdad@chromium.org > > Committed: https://crrev.com/0c0e20baae5cfc32465e84d0e56a82ab874788e9 > Cr-Commit-Position: refs/heads/master@{#427203} TBR=behdad@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 Review-Url: https://codereview.chromium.org/2445303002 Cr-Commit-Position: refs/heads/master@{#427296} [modify] https://crrev.com/00b023067c9a330d2041c81871b2804591522416/DEPS
,
Oct 25 2016
,
Oct 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7ac63a352e7556a68224284af29db855b400a679 commit 7ac63a352e7556a68224284af29db855b400a679 Author: thestig <thestig@chromium.org> Date: Wed Oct 26 21:42:15 2016 Roll DEPS for sfntly 1ef790a..6e98497 6e98497 Merge pull request #61 from leizleiz/leizleiz-tablefix ebaa364 Fix breakage from commit 083b02b1. e33ba7a Merge pull request #60 from leizleiz/leizleiz-crbug 1bc53e1 Fix undefined shifts in ReadableFontData::ReadShort. d651349 Check for negative size in NameTable::NameAsBytes. 8475d2f Avoid NULL derefs inside FontHeaderTable::Builder. 1fba3b3 Fix undefined shifts in ReadableFontData::ReadLong. 083b02b Fix NULL pointer derefs in sfntly::Font::Builder. 6d1efaa Fix out of bound access in subtly sample program. cafc4c8 Merge pull request #59 from HalCanary/pronounciation 7d5169e README: pronounciation guide BUG= 638573 , 641452 , 646300 , 646347 ,654663, 655914 , 659006 TBR=behdad@chromium.org Review-Url: https://codereview.chromium.org/2452873003 Cr-Commit-Position: refs/heads/master@{#427819} [modify] https://crrev.com/7ac63a352e7556a68224284af29db855b400a679/DEPS
,
Oct 26 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jialiul@chromium.org
, Aug 17 2016