New issue
Advanced search Search tips

Issue 798080 link

Starred by 2 users
Status: Duplicate
Merged: issue 798066
Owner: ----
Closed: Jan 2018
Cc:
kjlubick@chromium.org
kjlubick@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in RowIter::next()

Reported by jonaluw...@gmail.com, Dec 29 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36

Steps to reproduce the problem:
1. build https://chromium.googlesource.com/chromium/src/+/65.0.3298.3
2. run ./filter_fuzz_stub path/to/poc
3. 

What is the expected behavior?
crashed by asan and report heap-buffer-overflow

What went wrong?
[1229/201644.042049:INFO:filter_fuzz_stub.cc(61)] Test case: /path/to/poc
[1229/201644.042389:INFO:filter_fuzz_stub.cc(38)] Valid stream detected.
=================================================================
==19850==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000068a at pc 0x000000e86afc bp 0x7ffcf5b8ce70 sp 0x7ffcf5b8ce68
READ of size 1 at 0x60300000068a thread T0
    #0 0xe86afb in next src/third_party/skia/src/core/SkAAClip.cpp:1507:27
    #1 0xe86afb in adjust_row src/third_party/skia/src/core/SkAAClip.cpp:1525
    #2 0xe86afb in operatorX src/third_party/skia/src/core/SkAAClip.cpp:1599
    #3 0xe86afb in operateY src/third_party/skia/src/core/SkAAClip.cpp:1676
    #4 0xe86afb in SkAAClip::op(SkAAClip const&, SkAAClip const&, SkRegion::Op) src/third_party/skia/src/core/SkAAClip.cpp:1743
    #5 0xe87134 in SkAAClip::op(SkIRect const&, SkRegion::Op) src/third_party/skia/src/core/SkAAClip.cpp:1787:18
    #6 0x8e4225 in SkRasterClip::op(SkIRect const&, SkRegion::Op) src/third_party/skia/src/core/SkRasterClip.cpp:308:36
    #7 0xe9c0c0 in trimIfExpanding src/third_party/skia/src/core/SkRasterClipStack.h:168:21
    #8 0xe9c0c0 in clipRegion src/third_party/skia/src/core/SkRasterClipStack.h:121
    #9 0xe9c0c0 in SkBitmapDevice::onClipRegion(SkRegion const&, SkClipOp) src/third_party/skia/src/core/SkBitmapDevice.cpp:564
    #10 0x7e3bbe in clipRegion src/third_party/skia/src/core/SkDevice.h:116:15
    #11 0x7e3bbe in SkCanvas::onClipRegion(SkRegion const&, SkClipOp) src/third_party/skia/src/core/SkCanvas.cpp:1496
    #12 0x8f3ea2 in draw<SkRecords::ClipRegion> src/third_party/skia/src/core/SkRecordDraw.cpp:92:1
    #13 0x8f3ea2 in operator()<SkRecords::ClipRegion> src/third_party/skia/src/core/SkRecordDraw.h:62
    #14 0x8f3ea2 in decltype ({parm#1}((SkRecords::NoOp)())) SkRecord::Record::visit<SkRecords::Draw&>(SkRecords::Draw&) const src/third_party/skia/src/core/SkRecord.h:165
    #15 0x8f1faa in visit<SkRecords::Draw &> src/third_party/skia/src/core/SkRecord.h:42:28
    #16 0x8f1faa in SkRecordDraw(SkRecord const&, SkCanvas*, SkPicture const* const*, SkDrawable* const*, int, SkBBoxHierarchy const*, SkPicture::AbortCallback*) src/third_party/skia/src/core/SkRecordDraw.cpp:52
    #17 0xe8f36b in SkBigPicture::playback(SkCanvas*, SkPicture::AbortCallback*) const src/third_party/skia/src/core/SkBigPicture.cpp:33:5
    #18 0x801540 in SkCanvas::onDrawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2824:14
    #19 0x800d72 in SkCanvas::drawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2804:15
    #20 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2132:15
    #21 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2144
    #22 0x1036717 in SkPictureImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkPictureImageFilter.cpp:126
    #23 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40
    #24 0x85cad7 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:512:41
    #25 0x1017d15 in SkMatrixConvolutionImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:290:39
    #26 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40
    #27 0xe99503 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) src/third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #28 0x7ddc4d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) src/third_party/skia/src/core/SkCanvas.cpp:1313:25
    #29 0x7d9b28 in SkCanvas::internalRestore() src/third_party/skia/src/core/SkCanvas.cpp:1201:19
    #30 0x7f5138 in ~AutoDrawLooper src/third_party/skia/src/core/SkCanvas.cpp:495:22
    #31 0x7f5138 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2308
    #32 0x7e9e1f in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:1831:11
    #33 0x4f17bf in RunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #34 0x4f17bf in ReadAndRunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
    #35 0x4f17bf in main src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
    #36 0x7fa34605d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
0x60300000068a is located 0 bytes to the right of 26-byte region [0x603000000670,0x60300000068a)
allocated by thread T0 here:
    #0 0x4c3fe3 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7c02fd in sk_malloc_throw(unsigned long) src/skia/ext/SkMemory_new_handler.cpp:64:66
    #2 0xe80ddf in Alloc src/third_party/skia/src/core/SkAAClip.cpp:77:35
    #3 0xe80ddf in AllocRect src/third_party/skia/src/core/SkAAClip.cpp:99
    #4 0xe80ddf in SkAAClip::setRect(SkIRect const&) src/third_party/skia/src/core/SkAAClip.cpp:721
    #5 0xe82a79 in SkAAClip::setRegion(SkRegion const&) src/third_party/skia/src/core/SkAAClip.cpp:788:22
    #6 0x8e4353 in SkRasterClip::op(SkRegion const&, SkRegion::Op) src/third_party/skia/src/core/SkRasterClip.cpp:319:13
    #7 0xe9c091 in clipRegion src/third_party/skia/src/core/SkRasterClipStack.h:120:29
    #8 0xe9c091 in SkBitmapDevice::onClipRegion(SkRegion const&, SkClipOp) src/third_party/skia/src/core/SkBitmapDevice.cpp:564
    #9 0x7e3bbe in clipRegion src/third_party/skia/src/core/SkDevice.h:116:15
    #10 0x7e3bbe in SkCanvas::onClipRegion(SkRegion const&, SkClipOp) src/third_party/skia/src/core/SkCanvas.cpp:1496
    #11 0x8f3ea2 in draw<SkRecords::ClipRegion> src/third_party/skia/src/core/SkRecordDraw.cpp:92:1
    #12 0x8f3ea2 in operator()<SkRecords::ClipRegion> src/third_party/skia/src/core/SkRecordDraw.h:62
    #13 0x8f3ea2 in decltype ({parm#1}((SkRecords::NoOp)())) SkRecord::Record::visit<SkRecords::Draw&>(SkRecords::Draw&) const src/third_party/skia/src/core/SkRecord.h:165
    #14 0x8f1faa in visit<SkRecords::Draw &> src/third_party/skia/src/core/SkRecord.h:42:28
    #15 0x8f1faa in SkRecordDraw(SkRecord const&, SkCanvas*, SkPicture const* const*, SkDrawable* const*, int, SkBBoxHierarchy const*, SkPicture::AbortCallback*) src/third_party/skia/src/core/SkRecordDraw.cpp:52
    #16 0xe8f36b in SkBigPicture::playback(SkCanvas*, SkPicture::AbortCallback*) const src/third_party/skia/src/core/SkBigPicture.cpp:33:5
    #17 0x801540 in SkCanvas::onDrawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2824:14
    #18 0x800d72 in SkCanvas::drawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2804:15
    #19 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2132:15
    #20 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2144
    #21 0x1036717 in SkPictureImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkPictureImageFilter.cpp:126
    #22 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40
    #23 0x85cad7 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:512:41
    #24 0x1017d15 in SkMatrixConvolutionImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkMatrixConvolutionImageFilter.cpp:290:39
    #25 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40
    #26 0xe99503 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) src/third_party/skia/src/core/SkBitmapDevice.cpp:421:33
    #27 0x7ddc4d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) src/third_party/skia/src/core/SkCanvas.cpp:1313:25
    #28 0x7d9b28 in SkCanvas::internalRestore() src/third_party/skia/src/core/SkCanvas.cpp:1201:19
    #29 0x7f5138 in ~AutoDrawLooper src/third_party/skia/src/core/SkCanvas.cpp:495:22
    #30 0x7f5138 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2308
    #31 0x7e9e1f in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:1831:11
    #32 0x4f17bf in RunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13
    #33 0x4f17bf in ReadAndRunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67
    #34 0x4f17bf in main src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87
    #35 0x7fa34605d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow src/third_party/skia/src/core/SkAAClip.cpp:1507:27 in next
Shadow bytes around the buggy address:
  0x0c067fff8080: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8090: fa fa fd fd fd fd fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff80a0: 04 fa fa fa 00 00 04 fa fa fa fd fd fd fd fa fa
  0x0c067fff80b0: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff80c0: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa 00 00
=>0x0c067fff80d0: 00[02]fa fa 00 00 00 02 fa fa fa fa fa fa fa fa
  0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19850==ABORTING

Did this work before? N/A 

Chrome version: 65.0.3298.3  Channel: dev
OS Version: Ubuntu 16.04.3 X64
Flash Version: 

I will update root cause analysis asap.
poc_id_000472_SkAAClip_cpp
744 bytes View Download

Comment 1 by cthomp@chromium.org, Dec 29 2017

Components: Internals>Skia
Project Member

Comment 2 by ClusterFuzz, Dec 31 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5275849208365056.
Project Member

Comment 3 by ClusterFuzz, Jan 1 2018

Labels: Security_Severity-Medium Security_Impact-Head
Detailed report: https://clusterfuzz.com/testcase?key=5275849208365056

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60a00000171a
Crash State:
  SkAAClip::op
  SkAAClip::op
  SkRasterClip::op
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5275849208365056

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 1 2018

Labels: M-65
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 1 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 1 2018

Labels: -Pri-2 Pri-1

Comment 7 by rsesek@chromium.org, Jan 2 2018

Mergedinto: 798066
Status: Duplicate (was: Unconfirmed)
This looks like a duplicate of  issue 798066 , which was reported earlier.
Project Member

Comment 8 by ClusterFuzz, Jan 4 2018 

ClusterFuzz has detected this issue as fixed in range 526815:526830.

Detailed report: https://clusterfuzz.com/testcase?key=5275849208365056

Job Type: linux_asan_filter_fuzz_stub
Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60a00000171a
Crash State:
  SkAAClip::op
  SkAAClip::op
  SkRasterClip::op
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=526815:526830

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5275849208365056

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by metzman@chromium.org, Jan 22 2018

Cc: kjlubick@chromium.org kjlubick@google.com
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Head Security_Impact-Stable
Project Member

Comment 11 by sheriffbot@chromium.org, Apr 13 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment