New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 725975 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in copyFTBitmap

Project Member Reported by ClusterFuzz, May 24 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6577051430813696

Fuzzer: inferno_twister_c
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x619000030180
Crash State:
  copyFTBitmap
  SkScalerContext_FreeType_Base::generateGlyphImage
  SkScalerContext_FreeType::generateImage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=470069:470142

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577051430813696


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, May 25 2017

Labels: M-60
Project Member

Comment 2 by sheriffbot@chromium.org, May 25 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, May 25 2017

Labels: Pri-1

Comment 4 by kenrb@chromium.org, May 25 2017

Cc: reed@chromium.org mtklein@chromium.org
Components: Internals>Skia
Cluster-fuzz marked this as a regression but I don't see any candidates in the range (and in particular, no Skia rolls).

Is anyone on the Skia team able to help triage this?
Owner: drott@chromium.org
Probably triggered by "Statically link own version of FreeType on Linux" ?

Project Member

Comment 6 by sheriffbot@chromium.org, May 26 2017

Status: Assigned (was: Untriaged)

Comment 7 by drott@chromium.org, May 29 2017

Cc: drott@chromium.org
Owner: reed@chromium.org
Perhaps exposed through the static FreeType linkage CL, which brings in a newer FreeType version than what the inferno_twister_c/linux_asan_chrome_media tests used to run before, since we do not rely on the platform's FreeType version anymore. Are the linux_asan_chrome_media tests run through the chrome or through the content_shell executable? content_shell used to link FreeType statically even before.

Still, I believe the Skia team would be the right team to investigate thisand perhaps reduce this to a FreeType issue? Mike, could you take a look or route this appropriately?

Comment 8 by hcm@chromium.org, May 30 2017

Cc: bunge...@chromium.org
Owner: reed@google.com
Probably should route to Ben but he is out for a while, so leave w/ Mike for a look.

Comment 9 by drott@chromium.org, Jun 6 2017

Cc: -bunge...@chromium.org
Owner: bunge...@chromium.org
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 6 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 8 2017

bungeman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 13 by sheriffbot@chromium.org, Jun 22 2017

bungeman: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -mtklein@chromium.org
Project Member

Comment 15 by bugdroid1@chromium.org, Jun 27 2017

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/c3aef18419c1bb16951370e11758c7ef131fa10b

commit c3aef18419c1bb16951370e11758c7ef131fa10b
Author: Ben Wagner <bungeman@google.com>
Date: Tue Jun 27 14:01:35 2017

Load FreeType glyph bitmap before emboldening.

If a bitmap glyph was loaded with FT_LOAD_BITMAP_METRICS_ONLY then the
glyph must be re-loaded without this flag before accessing the bitmap.

BUG= chromium:725975 

Change-Id: If5e5a6844e9c32238560135e141fea7f77ad7fac
Reviewed-on: https://skia-review.googlesource.com/20830
Reviewed-by: Herb Derby <herb@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
Commit-Queue: Ben Wagner <bungeman@google.com>

[modify] https://crrev.com/c3aef18419c1bb16951370e11758c7ef131fa10b/src/ports/SkFontHost_FreeType.cpp

Comment 16 by drott@chromium.org, Jun 27 2017

Thank you for taking care of this, Ben! Good work.
Project Member

Comment 17 by bugdroid1@chromium.org, Jun 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/383b1531c8cc2045bf7fce9f8eabd800ce9db007

commit 383b1531c8cc2045bf7fce9f8eabd800ce9db007
Author: skia-deps-roller@chromium.org <skia-deps-roller@chromium.org>
Date: Tue Jun 27 16:39:35 2017

Roll src/third_party/skia/ 70e3e9adc..ed5020068 (5 commits)

https://skia.googlesource.com/skia.git/+log/70e3e9adc57d..ed50200682e0

$ git log 70e3e9adc..ed5020068 --date=short --no-merges --format='%ad %ae %s'
2017-06-27 ethannicholas Revert "sksl fragment processor support"
2017-06-27 ethannicholas sksl fragment processor support
2017-06-26 bungeman Load FreeType glyph bitmap before emboldening.
2017-06-19 mtklein add _hsw lowp backend
2017-06-26 jvanverth Add shading language version to GL dump

Created with:
  roll-dep src/third_party/skia
BUG= 725975 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel
TBR=robertphillips@chromium.org

Change-Id: I6daab463fa4997e6d23f98f0a31d76921084664a
Reviewed-on: https://chromium-review.googlesource.com/550316
Reviewed-by: Skia Deps Roller <skia-deps-roller@chromium.org>
Commit-Queue: Skia Deps Roller <skia-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#482648}
[modify] https://crrev.com/383b1531c8cc2045bf7fce9f8eabd800ce9db007/DEPS

Project Member

Comment 18 by ClusterFuzz, Jun 28 2017

ClusterFuzz has detected this issue as fixed in range 482636:482655.

Detailed report: https://clusterfuzz.com/testcase?key=6577051430813696

Fuzzer: inferno_twister_c
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x619000030180
Crash State:
  copyFTBitmap
  SkScalerContext_FreeType_Base::generateGlyphImage
  SkScalerContext_FreeType::generateImage
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=470069:470142
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=482636:482655

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577051430813696


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 19 by drott@chromium.org, Jun 28 2017

Status: Fixed (was: Assigned)
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 28 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 21 by sheriffbot@chromium.org, Jun 30 2017

Labels: Merge-Request-60
Project Member

Comment 22 by sheriffbot@chromium.org, Jun 30 2017

Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
The actual merge doesn't require any DEPS, this is just merging Skia change https://skia.googlesource.com/skia/+/c3aef18419c1bb16951370e11758c7ef131fa10b into Skia's chrome/m60 branch.
Labels: -Merge-Review-60 Merge-Approved-60
This bug meets the bar for merge to M60. Approving merge. (branch: 3112)
Labels: -Hotlist-Merge-Review -ReleaseBlock-Stable -Merge-Approved-60
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 4 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment