NULL Deref in xferColor |
|||||||||||
Issue description
This was found using the filter_proto_fuzzer I am working on (I will try adding it to ClusterFuzz soon).
A specially crafted Image Filter will cause SkXfermode::Peek(mode) to return NULL (the mode is kSrcOver, but it looks like any invalid mode will work) this NULL will be dereferenced causing a crash.
REPRODUCTION CASE
1. Build filter_fuzz_stub with these arguments (note that ASAN, the crash also happens without any sanitizers at all)
enable_nacl = false
ffmpeg_branding = "ChromeOS"
pdf_enable_xfa = true
proprietary_codecs = true
use_goma = true
is_debug = false
is_asan = true
2. Run it on the attached input (skia-null-deref)
[1116/134438.745706:INFO:filter_fuzz_stub.cc(61)] Test case: skia-null-deref
[1116/134438.746564:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==112665==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001c61db7 bp 0x7ffd7e7700f0 sp 0x7ffd7e770000 T0)
==112665==The signal is caused by a READ memory access.
==112665==Hint: address points to the zero page.
#0 0x1c61db6 in xferColor(unsigned int, unsigned int, SkBlendMode) third_party/skia/src/effects/SkLayerDrawLooper.cpp:57:37
#1 0x1c61510 in SkLayerDrawLooper::LayerDrawLooperContext::ApplyInfo(SkPaint*, SkPaint const&, SkLayerDrawLooper::LayerInfo const&) third_party/skia/src/effects/SkLayerDrawLooper.cpp:76:19
#2 0x1c620fb in SkLayerDrawLooper::LayerDrawLooperContext::next(SkCanvas*, SkPaint*) third_party/skia/src/effects/SkLayerDrawLooper.cpp:152:5
#3 0x14fd4ba in SkDrawLooper::canComputeFastBounds(SkPaint const&) const third_party/skia/src/core/SkDrawLooper.cpp:22:22
#4 0x14e8a31 in SkPaint::canComputeFastBounds() const third_party/skia/src/core/SkPaint.cpp:1989:35
#5 0x120cb40 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2010:15
#6 0x1204024 in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#7 0x1c90a48 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
#8 0x13c422c in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
#9 0x123b5d0 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
#10 0x11f8fcd in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#11 0x11f1401 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#12 0x1228702 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
#13 0x120ce29 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2025:5
#14 0x1204024 in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1710:11
#15 0x1c90a48 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13
#16 0x13c422c in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40
#17 0x123b5d0 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:421:33
#18 0x11f8fcd in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1313:25
#19 0x11f1401 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1201:19
#20 0x1228702 in AutoDrawLooper::~AutoDrawLooper() third_party/skia/src/core/SkCanvas.cpp:495:22
#21 0x121231e in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2308:1
#22 0x120828c in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1831:11
#23 0xa37f4c in (anonymous namespace)::RunTestCase(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
#24 0xa36865 in (anonymous namespace)::ReadAndRunTestCase(char const*, SkBitmap&, SkCanvas*) skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:3
#25 0xa362af in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:10
#26 0x7f34ac6bbf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/src/effects/SkLayerDrawLooper.cpp:57:37 in xferColor(unsigned int, unsigned int, SkBlendMode)
==112665==ABORTING
,
Nov 17 2017
We can take a look at avoiding the scenario, but yes not treating null deref with much priority right now..let's make this available in our component.
,
Jan 7 2018
This no longer reproduces. I assume it has been fixed.
,
Jan 8 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5561091274047488.
,
Jan 9 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6404559902867456.
,
Jan 9 2018
Detailed report: https://clusterfuzz.com/testcase?key=6404559902867456 Job Type: linux_msan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: SkLayerDrawLooper::LayerDrawLooperContext::ApplyInfo SkLayerDrawLooper::LayerDrawLooperContext::next SkDrawLooper::canComputeFastBounds Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522592:522619 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6404559902867456 See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 14 2018
ClusterFuzz testcase 6404559902867456 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jan 16 2018
,
Jan 16 2018
,
Jan 18 2018
ClusterFuzz has detected this issue as fixed in range 529706:529710. Detailed report: https://clusterfuzz.com/testcase?key=6404559902867456 Job Type: linux_msan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: SkLayerDrawLooper::LayerDrawLooperContext::ApplyInfo SkLayerDrawLooper::LayerDrawLooperContext::next SkDrawLooper::canComputeFastBounds Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522592:522619 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=529706:529710 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6404559902867456 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2018
ClusterFuzz testcase 6404559902867456 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 18 2018
,
Jan 18 2018
ClusterFuzz has detected this issue as fixed in range 529706:529710. Detailed report: https://clusterfuzz.com/testcase?key=6404559902867456 Job Type: linux_msan_filter_fuzz_stub Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: SkLayerDrawLooper::LayerDrawLooperContext::ApplyInfo SkLayerDrawLooper::LayerDrawLooperContext::next SkDrawLooper::canComputeFastBounds Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=522592:522619 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=529706:529710 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6404559902867456 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2018
Issue 803363 has been merged into this issue.
,
Jan 22 2018
,
Mar 7 2018
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mmoroz@chromium.org
, Nov 16 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Restrict-View-Google Type-Bug
Owner: hcm@chromium.org