New issue
Advanced search Search tips

Issue 703397 link

Starred by 2 users
Status: Fixed
Owner:
scroggo@chromium.org
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in load_rgb_from_tables<Order::kRGBA_Order>

Project Member Reported by ClusterFuzz, Mar 20 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6484562843795456

Fuzzer: libfuzzer_blink_png_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x608000003174
Crash State:
  load_rgb_from_tables<Order::kRGBA_Order>
  void color_xform_RGBA<
  apply_set_alpha<SrcFormat::kRGBA_NUMBER_Table_SrcFormat,
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=456783:456847

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95EX05lmTKjz8Su7FbT7tmY51TOjWK2YHVg5etcmRX_Rckyw_-hhBLFuG4gOL994Eim2-NA12hWw-8aIcwN5MRhfbTdtH-w284ZiiYsFxuNtVD7gK5-z0zb6PPeHvCO7O1uA0iZYaz02zrbMXiGt_9j-WeR6iQz5RbryRejmF4fcwLjVn6gfolO-ilgou5-G9z78EZU99wu3hqLip0dHuZWrQ1Bgm1yRJ2K9KtNU1vRgWBqDSXrChkg0-5312ZAF2tXc_cQfvEN3ZRcaV6pqYWINAsOaqGd-d2q_NJRmNI039451Pbqae_Je_OGYhUwQHdVqSuXd2MV5dxWPDT1wsSQ23tphKLnfquB65dlQZUcWOlJqR67Iv5gn8xFiaTuPNZJMfHFgkih-S5gmCYoT53M0OjovA?testcase_id=6484562843795456


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 21 2017

Labels: M-59
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 21 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 21 2017

Labels: Pri-1

Comment 4 by rsesek@chromium.org, Mar 21 2017

Components: Internals>Images>Codecs
Owner: scroggo@chromium.org
Status: Assigned (was: Untriaged)
scroggo: This may be related to https://chromium.googlesource.com/chromium/src/+/7d2b8c45afc9c0230410011293cc2e1dbb8943a7.

Comment 5 by scroggo@chromium.org, Mar 21 2017

Status: Started (was: Assigned)
Fix at https://codereview.chromium.org/2761193003
Project Member

Comment 6 by ClusterFuzz, Mar 21 2017

Labels: OS-Mac
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0fa5516411db46950188474b9382157d75810208

commit 0fa5516411db46950188474b9382157d75810208
Author: scroggo <scroggo@chromium.org>
Date: Wed Mar 22 13:16:45 2017

PNG: Use frame width when applying color xform

The row provided by libpng will only be as wide as the frame, so pass
that width to the color xform.

Similarly, for an opaque image, only apply the color xform to the
frame's width. The buffer may be wider (e.g. if the frame starts at
(0, y)), but these are the only pixels that have changed.

BUG= 703397 

Review-Url: https://codereview.chromium.org/2761193003
Cr-Commit-Position: refs/heads/master@{#458728}

[modify] https://crrev.com/0fa5516411db46950188474b9382157d75810208/third_party/WebKit/Source/platform/image-decoders/png/PNGImageDecoder.cpp

Comment 8 by scroggo@chromium.org, Mar 22 2017

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Mar 23 2017 

ClusterFuzz has detected this issue as fixed in range 458723:458739.

Detailed report: https://clusterfuzz.com/testcase?key=6484562843795456

Fuzzer: libfuzzer_blink_png_decoder_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x608000003174
Crash State:
  load_rgb_from_tables<Order::kRGBA_Order>
  void color_xform_RGBA<
  apply_set_alpha<SrcFormat::kRGBA_NUMBER_Table_SrcFormat,
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=456783:456847
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=458723:458739

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95EX05lmTKjz8Su7FbT7tmY51TOjWK2YHVg5etcmRX_Rckyw_-hhBLFuG4gOL994Eim2-NA12hWw-8aIcwN5MRhfbTdtH-w284ZiiYsFxuNtVD7gK5-z0zb6PPeHvCO7O1uA0iZYaz02zrbMXiGt_9j-WeR6iQz5RbryRejmF4fcwLjVn6gfolO-ilgou5-G9z78EZU99wu3hqLip0dHuZWrQ1Bgm1yRJ2K9KtNU1vRgWBqDSXrChkg0-5312ZAF2tXc_cQfvEN3ZRcaV6pqYWINAsOaqGd-d2q_NJRmNI039451Pbqae_Je_OGYhUwQHdVqSuXd2MV5dxWPDT1wsSQ23tphKLnfquB65dlQZUcWOlJqR67Iv5gn8xFiaTuPNZJMfHFgkih-S5gmCYoT53M0OjovA?testcase_id=6484562843795456


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 23 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by awhalley@google.com, Apr 7 2017

Labels: -ReleaseBlock-Beta

Comment 12 by msarett@chromium.org, Apr 18 2017 

 Issue 712197  has been merged into this issue.
Project Member

Comment 13 by ClusterFuzz, Apr 18 2017

Labels: OS-Windows
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 29 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment