Security: Use-of-uninitialized-value in SkReadBuffer.h (filter_fuzz_stub) |
|||||||||
Issue description
Sadly the stacktrace for this crash isn't very helpful.
It claims that there is a use of an uninitialized value on third_party/skia/src/core/SkReadBuffer.h:215:13.
However the value that is accessed there, isValid is a functon parameter.
I think the real bug is that fBitmapImageCount is not set before being used in getBitmapAsImage.
This bug was found by skia_image_filter_proto_fuzzer (filter_proto_fuzzer).
REPRODUCTION CASE
1. Build filter_fuzz_stub using the following options:
enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_msan = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true
use_goma = true
is_debug = false
optimize_for_fuzzing = true
2. Run it on the attached input (ffs-validate):
$ ./out/skmsan/filter_fuzz_stub ffs-validate
[0123/193045.462740:INFO:filter_fuzz_stub.cc(60)] Test case: ffs-validate
==157502==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x127565c in validate third_party/skia/src/core/SkReadBuffer.h:215:13
#1 0x127565c in validateIndex third_party/skia/src/core/SkReadBuffer.h:222
#2 0x127565c in getBitmapAsImage third_party/skia/src/core/SkPictureData.h:100
#3 0x127565c in SkPicturePlayback::handleOp(SkReadBuffer*, DrawType, unsigned int, SkCanvas*, SkMatrix const&) third_party/skia/src/core/SkPicturePlayback.cpp:289
#4 0x126481f in SkPicturePlayback::draw(SkCanvas*, SkPicture::AbortCallback*, SkReadBuffer*) third_party/skia/src/core/SkPicturePlayback.cpp:136:15
#5 0x12541c5 in Forwardport third_party/skia/src/core/SkPicture.cpp:137:14
#6 0x12541c5 in SkPicture::MakeFromBuffer(SkReadBuffer&) third_party/skia/src/core/SkPicture.cpp:218
#7 0x1438a83 in SkPictureImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPictureImageFilter.cpp:60:19
#8 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#9 0xa7192d in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:141:35
#10 0xa7192d in readImageFilter third_party/skia/src/core/SkReadBuffer.h:145
#11 0xa7192d in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:129
#12 0x1397c4b in SkComposeImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkComposeImageFilter.cpp:85:5
#13 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#14 0xa7192d in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:141:35
#15 0xa7192d in readImageFilter third_party/skia/src/core/SkReadBuffer.h:145
#16 0xa7192d in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:129
#17 0x1397c4b in SkComposeImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkComposeImageFilter.cpp:85:5
#18 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#19 0xa65050 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:163:40
#20 0x4965eb in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5
#21 0x4965eb in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:32
#22 0x4965eb in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
#23 0x4965eb in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:86
#24 0x7f312b4e62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#25 0x424fd9 in _start (/usr/local/google/home/metzman/chromium1/src/out/skmsan/filter_fuzz_stub+0x424fd9)
Uninitialized value was created by a heap allocation
#0 0x494de9 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/msan/msan_new_delete.cc:45:35
#1 0x125efdd in SkPictureData::CreateFromBuffer(SkReadBuffer&, SkPictInfo const&) third_party/skia/src/core/SkPictureData.cpp:587:41
#2 0x125406d in SkPicture::MakeFromBuffer(SkReadBuffer&) third_party/skia/src/core/SkPicture.cpp:217:40
#3 0x1438a83 in SkPictureImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkPictureImageFilter.cpp:60:19
#4 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#5 0xa7192d in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:141:35
#6 0xa7192d in readImageFilter third_party/skia/src/core/SkReadBuffer.h:145
#7 0xa7192d in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:129
#8 0x1397c4b in SkComposeImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkComposeImageFilter.cpp:85:5
#9 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#10 0xa7192d in readFlattenable<SkImageFilter> third_party/skia/src/core/SkReadBuffer.h:141:35
#11 0xa7192d in readImageFilter third_party/skia/src/core/SkReadBuffer.h:145
#12 0xa7192d in SkImageFilter::Common::unflatten(SkReadBuffer&, int) third_party/skia/src/core/SkImageFilter.cpp:129
#13 0x1397c4b in SkComposeImageFilter::CreateProc(SkReadBuffer&) third_party/skia/src/effects/SkComposeImageFilter.cpp:85:5
#14 0xb75209 in SkReadBuffer::readFlattenable(SkFlattenable::Type) third_party/skia/src/core/SkReadBuffer.cpp:407:15
#15 0xa65050 in SkFlattenable::Deserialize(SkFlattenable::Type, void const*, unsigned long, SkDeserialProcs const*) third_party/skia/src/core/SkFlattenable.cpp:163:40
#16 0x4965eb in Deserialize third_party/skia/include/core/SkImageFilter.h:241:5
#17 0x4965eb in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:32
#18 0x4965eb in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66
#19 0x4965eb in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:86
#20 0x7f312b4e62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/skia/src/core/SkReadBuffer.h:215:13 in validate
Exiting
,
Jan 24 2018
Detailed report: https://clusterfuzz.com/testcase?key=5244549667749888 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkPicturePlayback::handleOp SkPicturePlayback::draw SkPicture::MakeFromBuffer Sanitizer: memory (MSAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5244549667749888 See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 24 2018
Detailed report: https://clusterfuzz.com/testcase?key=5244549667749888 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkPicturePlayback::handleOp SkPicturePlayback::draw SkPicture::MakeFromBuffer Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=530505:530506 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5244549667749888 See https://github.com/google/clusterfuzz-tools for more information. The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.
,
Jan 24 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e6d77aa5c11391400c8b3ae3b21575617017fe44 (Remove guard flag for deserializing pictureimagefilters). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 24 2018
ClusterFuzz has detected this issue as fixed in range 531432:531434. Detailed report: https://clusterfuzz.com/testcase?key=5244549667749888 Job Type: linux_msan_filter_fuzz_stub Crash Type: Use-of-uninitialized-value Crash Address: Crash State: SkPicturePlayback::handleOp SkPicturePlayback::draw SkPicture::MakeFromBuffer Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=530505:530506 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_filter_fuzz_stub&range=531432:531434 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5244549667749888 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 24 2018
ClusterFuzz testcase 5244549667749888 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 5 2018
,
Feb 8 2018
,
May 2 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by metzman@chromium.org
, Jan 24 2018Labels: Security_Severity-Low OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows Pri-3
560 bytes
560 bytes View Download