New issue
Advanced search Search tips

Issue 793351 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

NULL deref (read) in SkPicturePlayback

Project Member Reported by metzman@chromium.org, Dec 8 2017

Issue description

My skia_image_filter_proto_fuzzer (I've called it filter_proto_fuzzer before) found this.

REPRODUCTION CASE

1. Build filter_fuzz_stub with these arguments:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
pdf_enable_xfa = true
proprietary_codecs = true
use_goma = true
is_debug = false
is_asan = true
optimize_for_fuzzing=true

2. Run it on the attached input (ffs-picture-playback)

filter_fuzz_stub will also crash on the attached input if built with no sanitizers at all.

Here is the stacktrace I get from running an ASAN build of filter_fuzz_stub on the input

$ ./out/skia/filter_fuzz_stub ffs-picture-playback 
[1208/095536.167358:INFO:filter_fuzz_stub.cc(61)] Test case: ffs-picture-playback
AddressSanitizer:DEADLYSIGNAL
=================================================================
==94355==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000adf2f4 bp 0x7ffcf7f64d70 sp 0x7ffcf7f64c80 T0)
==94355==The signal is caused by a READ memory access.
==94355==Hint: address points to the zero page.
    #0 0xadf2f3 in size third_party/skia/include/core/SkData.h:27:34
    #1 0xadf2f3 in SkPicturePlayback::draw(SkCanvas*, SkPicture::AbortCallback*, SkReadBuffer*) third_party/skia/src/core/SkPicturePlayback.cpp:93
    #2 0xac4c9b in Forwardport third_party/skia/src/core/SkPicture.cpp:129:14
    #3 0xac4c9b in SkPicture::MakeFromBuffer(SkReadBuffer&) third_party/skia/src/core/SkPicture.cpp:192
    #4 0xde514a in SkPictureImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPictureImageFilter.cpp:63:23
    #5 0xb08424 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:446:15
    #6 0x9fcaa1 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:145:40
    #7 0x9fcd69 in SkValidatingDeserializeImageFilter(void const*, unsigned long) third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17
    #8 0x5d73c0 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38
    #9 0x5d73c0 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
    #10 0x5d73c0 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
    #11 0x7f246c631f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/include/core/SkData.h:27:34 in size
==94355==ABORTING


 
ffs-picture-playback
100 bytes View Download
Project Member

Comment 1 by ClusterFuzz, Dec 8 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5820331758714880.
Project Member

Comment 2 by ClusterFuzz, Dec 9 2017

Labels: Security_Impact-Head
Detailed report: https://clusterfuzz.com/testcase?key=5820331758714880

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  SkPicturePlayback::draw
  SkPicture::MakeFromBuffer
  SkPictureImageFilter::CreateProc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5820331758714880

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 3 by ClusterFuzz, Jan 4 2018

ClusterFuzz has detected this issue as fixed in range 526815:526830.

Detailed report: https://clusterfuzz.com/testcase?key=5820331758714880

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  SkPicturePlayback::draw
  SkPicture::MakeFromBuffer
  SkPictureImageFilter::CreateProc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=526815:526830

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5820331758714880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jan 4 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 5820331758714880 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: kjlubick@chromium.org kjlubick@google.com

Sign in to add a comment