Heap-buffer-overflow in SkMatrix::setRSXform
Reported by
jonaluw...@gmail.com,
Jan 2 2018
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Steps to reproduce the problem: 1. build https://chromium.googlesource.com/chromium/src/+/65.0.3298.3 2. run ./filter_fuzz_stub path/to/poc What is the expected behavior? the filter_fuzz_stub will be crashed by asan and report heap-buffer-overflow What went wrong? [0102/124331.941209:INFO:filter_fuzz_stub.cc(61)] Test case: path/to/poc [0102/124331.941681:INFO:filter_fuzz_stub.cc(38)] Valid stream detected. ================================================================= ==17984==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000dc0 at pc 0x00000086a53d bp 0x7fff8c032480 sp 0x7fff8c032478 READ of size 4 at 0x611000000dc0 thread T0 #0 0x86a53c in SkMatrix::setRSXform(SkRSXform const&) src/third_party/skia/src/core/SkMatrix.cpp:447:29 #1 0x83aeef in SkBaseDevice::drawTextRSXform(void const*, unsigned long, SkRSXform const*, SkPaint const&) src/third_party/skia/src/core/SkDevice.cpp:497:16 #2 0x7fada5 in SkCanvas::onDrawTextRSXform(void const*, unsigned long, SkRSXform const*, SkRect const*, SkPaint const&) src/third_party/skia/src/core/SkCanvas.cpp:2524:23 #3 0x7fd313 in SkCanvas::drawTextRSXform(void const*, unsigned long, SkRSXform const*, SkRect const*, SkPaint const&) src/third_party/skia/src/core/SkCanvas.cpp:2603:15 #4 0x8f419c in draw<SkRecords::DrawTextRSXform> src/third_party/skia/src/core/SkRecordDraw.cpp:126:1 #5 0x8f419c in operator()<SkRecords::DrawTextRSXform> src/third_party/skia/src/core/SkRecordDraw.h:62 #6 0x8f419c in decltype ({parm#1}((SkRecords::NoOp)())) SkRecord::Record::visit<SkRecords::Draw&>(SkRecords::Draw&) const src/third_party/skia/src/core/SkRecord.h:165 #7 0x8f1faa in visit<SkRecords::Draw &> src/third_party/skia/src/core/SkRecord.h:42:28 #8 0x8f1faa in SkRecordDraw(SkRecord const&, SkCanvas*, SkPicture const* const*, SkDrawable* const*, int, SkBBoxHierarchy const*, SkPicture::AbortCallback*) src/third_party/skia/src/core/SkRecordDraw.cpp:52 #9 0xe8f36b in SkBigPicture::playback(SkCanvas*, SkPicture::AbortCallback*) const src/third_party/skia/src/core/SkBigPicture.cpp:33:5 #10 0x801540 in SkCanvas::onDrawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2824:14 #11 0x800d72 in SkCanvas::drawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2804:15 #12 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2132:15 #13 0x1036717 in drawPicture src/third_party/skia/include/core/SkCanvas.h:2144 #14 0x1036717 in SkPictureImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkPictureImageFilter.cpp:126 #15 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40 #16 0x85cad7 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:512:41 #17 0x1031444 in SkOffsetImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkOffsetImageFilter.cpp:39:39 #18 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40 #19 0x85cad7 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:512:41 #20 0x1031444 in SkOffsetImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/effects/SkOffsetImageFilter.cpp:39:39 #21 0x8577a7 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const src/third_party/skia/src/core/SkImageFilter.cpp:213:40 #22 0xe99503 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) src/third_party/skia/src/core/SkBitmapDevice.cpp:421:33 #23 0x7f4f98 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:2298:27 #24 0x7e9e1f in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) src/third_party/skia/src/core/SkCanvas.cpp:1831:11 #25 0x4f17bf in RunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:48:13 #26 0x4f17bf in ReadAndRunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67 #27 0x4f17bf in main src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87 #28 0x7f9a2794482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 0x611000000dc0 is located 0 bytes to the right of 256-byte region [0x611000000cc0,0x611000000dc0) allocated by thread T0 here: #0 0x4ee0a2 in operator new[](unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:95:3 #1 0x851151 in SkArenaAlloc::ensureSpace(unsigned int, unsigned int) src/third_party/skia/src/core/SkArenaAlloc.cpp:141:22 #2 0x9197da in allocObject src/third_party/skia/src/core/SkArenaAlloc.h:165:19 #3 0x9197da in commonArrayAlloc<RawBytes> src/third_party/skia/src/core/SkArenaAlloc.h:181 #4 0x9197da in makeArrayDefault<RawBytes> src/third_party/skia/src/core/SkArenaAlloc.h:118 #5 0x9197da in alloc<SkRecords::SaveLayer> src/third_party/skia/src/core/SkRecord.h:62 #6 0x9197da in allocCommand<SkRecords::SaveLayer> src/third_party/skia/src/core/SkRecord.h:138 #7 0x9197da in append<SkRecords::SaveLayer> src/third_party/skia/src/core/SkRecord.h:72 #8 0x9197da in SkRecorder::getSaveLayerStrategy(SkCanvas::SaveLayerRec const&) src/third_party/skia/src/core/SkRecorder.cpp:359 #9 0x7db43b in SkCanvas::saveLayer(SkCanvas::SaveLayerRec const&) src/third_party/skia/src/core/SkCanvas.cpp:1007:40 #10 0xf32c3c in SkPicturePlayback::handleOp(SkReadBuffer*, DrawType, unsigned int, SkCanvas*, SkMatrix const&) src/third_party/skia/src/core/SkPicturePlayback.cpp:759:21 #11 0xf2dc0b in SkPicturePlayback::draw(SkCanvas*, SkPicture::AbortCallback*, SkReadBuffer*) src/third_party/skia/src/core/SkPicturePlayback.cpp:116:15 #12 0xf240ac in Forwardport src/third_party/skia/src/core/SkPicture.cpp:141:14 #13 0xf240ac in SkPicture::MakeFromBuffer(SkReadBuffer&) src/third_party/skia/src/core/SkPicture.cpp:233 #14 0x103577a in SkPictureImageFilter::CreateProc(SkReadBuffer&) src/third_party/skia/src/effects/SkPictureImageFilter.cpp:63:23 #15 0x8eea25 in SkReadBuffer::readFlattenable(SkFlattenable::Type) src/third_party/skia/src/core/SkReadBuffer.cpp:443:15 #16 0x85662e in readFlattenable<SkImageFilter> src/third_party/skia/src/core/SkReadBuffer.h:149:35 #17 0x85662e in readImageFilter src/third_party/skia/src/core/SkReadBuffer.h:153 #18 0x85662e in SkImageFilter::Common::unflatten(SkReadBuffer&, int) src/third_party/skia/src/core/SkImageFilter.cpp:130 #19 0x1032cc2 in SkOffsetImageFilter::CreateProc(SkReadBuffer&) src/third_party/skia/src/effects/SkOffsetImageFilter.cpp:110:5 #20 0x8eea25 in SkReadBuffer::readFlattenable(SkFlattenable::Type) src/third_party/skia/src/core/SkReadBuffer.cpp:443:15 #21 0x85662e in readFlattenable<SkImageFilter> src/third_party/skia/src/core/SkReadBuffer.h:149:35 #22 0x85662e in readImageFilter src/third_party/skia/src/core/SkReadBuffer.h:153 #23 0x85662e in SkImageFilter::Common::unflatten(SkReadBuffer&, int) src/third_party/skia/src/core/SkImageFilter.cpp:130 #24 0x1032cc2 in SkOffsetImageFilter::CreateProc(SkReadBuffer&) src/third_party/skia/src/effects/SkOffsetImageFilter.cpp:110:5 #25 0x8eea25 in SkReadBuffer::readFlattenable(SkFlattenable::Type) src/third_party/skia/src/core/SkReadBuffer.cpp:443:15 #26 0x851baf in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) src/third_party/skia/src/core/SkFlattenable.cpp:145:40 #27 0x851e2f in SkValidatingDeserializeImageFilter(void const*, unsigned long) src/third_party/skia/src/core/SkFlattenableSerialization.cpp:22:17 #28 0x4f1590 in RunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:33:38 #29 0x4f1590 in ReadAndRunTestCase src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:67 #30 0x4f1590 in main src/skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:87 #31 0x7f9a2794482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow src/third_party/skia/src/core/SkMatrix.cpp:447:29 in SkMatrix::setRSXform(SkRSXform const&) Shadow bytes around the buggy address: 0x0c227fff8160: 00 00 00 00 00 06 fa fa fa fa fa fa fa fa fa fa 0x0c227fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c227fff8190: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff81b0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c227fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff81e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff81f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17984==ABORTING Did this work before? N/A Chrome version: 65.0.3298.3 Channel: dev OS Version: Ubuntu 16.04.3 LTS x86_64 Flash Version: In my test,it can be reproduced at master with skia@adc78d5 too. I will update root cause analysis asap.
,
Jan 2 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6195499685380096.
,
Jan 2 2018
Detailed report: https://clusterfuzz.com/testcase?key=6195499685380096 Job Type: linux_asan_filter_fuzz_stub Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x612000001080 Crash State: SkMatrix::setRSXform SkBaseDevice::drawTextRSXform SkCanvas::onDrawTextRSXform Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195499685380096 See https://github.com/google/clusterfuzz-tools for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jan 3 2018
,
Jan 3 2018
,
Jan 3 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4 2018
ClusterFuzz has detected this issue as fixed in range 526815:526830. Detailed report: https://clusterfuzz.com/testcase?key=6195499685380096 Job Type: linux_asan_filter_fuzz_stub Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x612000001080 Crash State: SkMatrix::setRSXform SkBaseDevice::drawTextRSXform SkCanvas::onDrawTextRSXform Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=522280:522288 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=526815:526830 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195499685380096 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 4 2018
ClusterFuzz testcase 6195499685380096 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 4 2018
,
Jan 8 2018
,
Jan 22 2018
,
Feb 13 2018
,
Mar 27 2018
,
Apr 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 2 2018