Issue metadata
Sign in to add a comment
|
Out of bound read in filter_fuzz_stub
Reported by
jonaluw...@gmail.com,
Dec 19 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce the problem: 1. build https://chromium.googlesource.com/chromium/src/+/65.0.3294.5 2.run ./filter_fuzz_stub path/to/poc What is the expected behavior? crashed by asan and report heap-buffer-overflow What went wrong? I will update root cause analysis asap. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 65.0.3294.5 Channel: dev OS Version: ubuntu 16.04.3 x64 Flash Version: 28.0.0.126 [1219/180554.251616:INFO:filter_fuzz_stub.cc(61)] Test case: path/to/poc [1219/180554.251929:INFO:filter_fuzz_stub.cc(38)] Valid stream detected. ================================================================= ==15898==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000f00 at pc 0x000000971104 bp 0x7ffea55374e0 sp 0x7ffea55374d8 READ of size 1 at 0x611000000f00 thread T0 #0 0x971103 in _Z18SkUTF8_NextUnicharPPKc /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkUtils.cpp:177:29 #1 0x8a6990 in _ZL23sk_getMetrics_utf8_nextP12SkGlyphCachePPKc /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPaint.cpp:568:37 #2 0x8aa4bd in _ZN16SkTextToPathIter4nextEPPK6SkPathPf /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPaint.cpp:2270:32 #3 0x845b20 in _ZNK6SkDraw16drawText_asPathsEPKcmffRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkDraw.cpp:1384:17 #4 0x845e17 in _ZNK6SkDraw8drawTextEPKcmffRK7SkPaintPK14SkSurfaceProps /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkDraw.cpp:1539:15 #5 0xe95fb0 in _ZN14SkBitmapDevice8drawTextEPKvmffRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkBitmapDevice.cpp:358:18 #6 0x7f8175 in _ZN8SkCanvas10onDrawTextEPKvmffRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:2466:23 #7 0x7fb049 in _ZN8SkCanvas8drawTextEPKvmffRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:2571:15 #8 0x8f3372 in draw<SkRecords::DrawText> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecordDraw.cpp:123:1 #9 0x8f3372 in operator()<SkRecords::DrawText> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecordDraw.h:62:0 #10 0x8f3372 in _ZNK8SkRecord6Record5visitIRN9SkRecords4DrawEEEDTclfp_cvNS2_4NoOpE_EEEOT_ /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecord.h:165:0 #11 0x8f109a in visit<SkRecords::Draw &> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecord.h:42:28 #12 0x8f109a in _Z12SkRecordDrawRK8SkRecordP8SkCanvasPKPK9SkPicturePKP10SkDrawableiPK15SkBBoxHierarchyPNS4_13AbortCallbackE /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecordDraw.cpp:52:0 #13 0xe8cdab in _ZNK12SkBigPicture8playbackEP8SkCanvasPN9SkPicture13AbortCallbackE /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkBigPicture.cpp:33:5 #14 0x8004e0 in _ZN8SkCanvas13onDrawPictureEPK9SkPicturePK8SkMatrixPK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:2824:14 #15 0x7ffd12 in _ZN8SkCanvas11drawPictureEPK9SkPicturePK8SkMatrixPK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:2804:15 #16 0x1033c77 in drawPicture /media/eins/Repo/chrome_all/test/../src/third_party/skia/include/core/SkCanvas.h:2132:15 #17 0x1033c77 in drawPicture /media/eins/Repo/chrome_all/test/../src/third_party/skia/include/core/SkCanvas.h:2144:0 #18 0x1033c77 in _ZNK20SkPictureImageFilter13onFilterImageEP14SkSpecialImageRKN13SkImageFilter7ContextEP8SkIPoint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/effects/SkPictureImageFilter.cpp:126:0 #19 0x8565f7 in _ZNK13SkImageFilter11filterImageEP14SkSpecialImageRKNS_7ContextEP8SkIPoint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkImageFilter.cpp:213:40 #20 0xe96f43 in _ZN14SkBitmapDevice11drawSpecialEP14SkSpecialImageiiRK7SkPaintP7SkImageRK8SkMatrix /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkBitmapDevice.cpp:421:33 #21 0x7f3f38 in _ZN8SkCanvas12onDrawBitmapERK8SkBitmapffPK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:2298:27 #22 0x7e8dbf in _ZN8SkCanvas10drawBitmapERK8SkBitmapffPK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:1831:11 #23 0x4f16df in RunTestCase /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13 #24 0x4f16df in ReadAndRunTestCase /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:0 #25 0x4f16df in main /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:0 #26 0x7fee3154b82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291:0 0x611000000f00 is located 0 bytes to the right of 256-byte region [0x611000000e00,0x611000000f00) allocated by thread T0 here: #0 0x4edfc2 in _Znam _asan_rtl_:3 #1 0x84ffa1 in _ZN12SkArenaAlloc11ensureSpaceEjj /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkArenaAlloc.cpp:141:22 #2 0x9097fa in allocObject /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkArenaAlloc.h:165:19 #3 0x9097fa in commonArrayAlloc<RawBytes> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkArenaAlloc.h:181:0 #4 0x9097fa in makeArrayDefault<RawBytes> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkArenaAlloc.h:118:0 #5 0x9097fa in alloc<SkRecords::DrawOval> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecord.h:62:0 #6 0x9097fa in allocCommand<SkRecords::DrawOval> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecord.h:138:0 #7 0x9097fa in append<SkRecords::DrawOval> /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecord.h:72:0 #8 0x9097fa in _ZN10SkRecorder10onDrawOvalERK6SkRectRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkRecorder.cpp:153:0 #9 0x7e57d6 in _ZN8SkCanvas8drawOvalERK6SkRectRK7SkPaint /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkCanvas.cpp:1730:11 #10 0xf2ecbb in _ZN17SkPicturePlayback8handleOpEP12SkReadBuffer8DrawTypejP8SkCanvasRK8SkMatrix /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPicturePlayback.cpp:403:25 #11 0xf2b40b in _ZN17SkPicturePlayback4drawEP8SkCanvasPN9SkPicture13AbortCallbackEP12SkReadBuffer /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPicturePlayback.cpp:116:15 #12 0xf2193c in Forwardport /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPicture.cpp:142:14 #13 0xf2193c in _ZN9SkPicture14MakeFromBufferER12SkReadBuffer /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkPicture.cpp:239:0 #14 0x1032cda in _ZN20SkPictureImageFilter10CreateProcER12SkReadBuffer /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/effects/SkPictureImageFilter.cpp:63:23 #15 0x8edb15 in _ZN12SkReadBuffer15readFlattenableEN13SkFlattenable4TypeE /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkReadBuffer.cpp:444:15 #16 0x8509ff in _ZN13SkFlattenable11DeserializeENS_4TypeEPKvmPK15SkDeserialProcs /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkFlattenable.cpp:145:40 #17 0x850c7f in _Z34SkValidatingDeserializeImageFilterPKvm /media/eins/Repo/chrome_all/test/../src/third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17 #18 0x4f14b0 in RunTestCase /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38 #19 0x4f14b0 in ReadAndRunTestCase /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67:0 #20 0x4f14b0 in main /media/eins/Repo/chrome_all/test/../src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87:0 #21 0x7fee3154b82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291:0 SUMMARY: AddressSanitizer: heap-buffer-overflow (/media/eins/Repo/chrome_all/test/filter_fuzz_stub+0x971103) Shadow bytes around the buggy address: 0x0c227fff8190: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff81b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff81e0:[fa]fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff81f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8200: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8220: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c227fff8230: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: == SIGABRT == 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15898==ABORTING
,
Dec 20 2017
As this issue seems to be related to build which is out of scope for triaging from ET team, hence adding label TE-NeedsTriageHelp for further investigation. Thanks!
,
Dec 20 2017
,
Jan 22 2018
,
Mar 30 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by krajshree@chromium.org
, Dec 19 2017