New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 784074 link

Starred by 1 user
Status: Verified
Owner:
bsalomon@chromium.org
Last visit > 30 days ago
Closed: Nov 2017
Cc:
vmp...@chromium.org
enne@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

pobfuzz: SkTextBlob::Deserialize -> SkReadBuffer::readFlattenable<SkPathEffect> -> null deref

Project Member Reported by ClusterFuzz, Nov 11 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5432308206403584

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  sk_sp<SkString::Rec>::get
  =<SkString::Rec, SkString::Rec>
  SkString::operator=
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=515040:515064

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5432308206403584

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 1 by dtapu...@chromium.org, Nov 12 2017

Components: Internals>Skia

Comment 2 by enne@chromium.org, Nov 14 2017

Cc: enne@chromium.org
Labels: -Pri-1 Pri-2
Owner: vmp...@chromium.org
Status: Assigned (was: Untriaged)
Summary: pobfuzz: SkTextBlob::Deserialize -> SkReadBuffer::readFlattenable<SkPathEffect> -> null deref (was: Null-dereference READ in sk_sp<SkString::Rec>::get)
This might be a Skia bug, but may be something that needs to be guarded against in cc as well.  If it is a Skia bug, just assign to bsalomon.

Comment 3 by vmp...@chromium.org, Nov 14 2017

Cc: vmp...@chromium.org
Owner: bsalomon@chromium.org
Yeah this seems like not something we can check before doing the actual deserialization. The assert that triggers is here:
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkReadBuffer.cpp?sq=package:chromium&dr&l=370. It seems that we're trying to find an index in the fFlattenableDict that doesn't exist. Without running through the buffer to see what is populated and referenced, I don't really see a way to fix this. Brian do you have other suggestions?

Full stack:
#0  0x00007ffff630fc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6313028 in __GI_abort () at abort.c:89
#2  0x00007ffff708c679 in sk_abort_no_print () at ../../skia/ext/SkMemory_new_handler.cpp:32
#3  0x00007ffff725180f in SkReadBuffer::readFlattenable(SkFlattenable::Type)::$_3::operator()() const (this=0x7fffffffce30) at ../../third_party/skia/src/core/SkReadBuffer.cpp:370
#4  0x00007ffff72515fe in SkReadBuffer::readFlattenable (this=0x7fffffffd1b8, ft=SkFlattenable::kSkPathEffect_Type) at ../../third_party/skia/src/core/SkReadBuffer.cpp:370
#5  0x00007ffff720ea6e in SkReadBuffer::readFlattenable<SkPathEffect> (this=0x7fffffffd1b8) at ../../third_party/skia/src/core/SkReadBuffer.h:150
#6  0x00007ffff720de7c in SkReadBuffer::readPathEffect (this=0x7fffffffd1b8) at ../../third_party/skia/src/core/SkReadBuffer.h:156
#7  0x00007ffff720a105 in SkPaint::unflatten (this=0x7fffffffd070, buffer=...) at ../../third_party/skia/src/core/SkPaint.cpp:1942
#8  0x00007ffff72523ad in SkReadBuffer::readPaint (this=0x7fffffffd1b8, paint=0x7fffffffd070) at ../../third_party/skia/src/core/SkReadBuffer.h:146
#9  0x00007ffff72d2e52 in SkTextBlob::MakeFromBuffer (reader=...) at ../../third_party/skia/src/core/SkTextBlob.cpp:780
#10 0x00007ffff72d33fa in SkTextBlob::Deserialize (data=0x2b4caaf52f28, length=132, proc=0x7ffff7f9a5d0 <cc::(anonymous namespace)::ResolveTypeface(unsigned int, void*)>, 
    ctx=0x7fffffffd2e8) at ../../third_party/skia/src/core/SkTextBlob.cpp:863
#11 0x00007ffff7f9a52b in cc::PaintOpReader::Read (this=0x7fffffffd428, typefaces=..., blob=0x7fffffffd338) at ../../cc/paint/paint_op_reader.cc:353
#12 0x00007ffff7f9a9ff in cc::PaintOpReader::Read (this=0x7fffffffd428, paint_blob=0x2b4caaf51e58) at ../../cc/paint/paint_op_reader.cc:364
#13 0x00007ffff7f86537 in cc::DrawTextBlobOp::Deserialize (input=0x2b4caaf27de0, input_size=240, output=0x2b4caaf51e00, output_size=240, options=...)
    at ../../cc/paint/paint_op_buffer.cc:838
#14 0x00007ffff7f88c6e in cc::PaintOp::Deserialize (input=0x2b4caaf27de0, input_size=240, output=0x2b4caaf51e00, output_size=240, read_bytes=0x7fffffffd770, options=...)
    at ../../cc/paint/paint_op_buffer.cc:1262
#15 0x00000000002032ec in LLVMFuzzerTestOneInput (data=0x2b4caaf27de0 <incomplete sequence \360>, size=240) at ../../cc/paint/paint_op_buffer_fuzzer.cc:42
#16 0x000000000020439e in main (argc=2, argv=0x7fffffffda58) at ../../testing/libfuzzer/unittest_main.cc:57
Project Member

Comment 4 by ClusterFuzz, Nov 16 2017 

ClusterFuzz has detected this issue as fixed in range 516771:516815.

Detailed report: https://clusterfuzz.com/testcase?key=5432308206403584

Fuzzer: libFuzzer_paint_op_buffer_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  sk_sp<SkString::Rec>::get
  =<SkString::Rec, SkString::Rec>
  SkString::operator=
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=515040:515064
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=516771:516815

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5432308206403584

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Nov 16 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5432308206403584 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment