Issue metadata
Sign in to add a comment
|
Security: Out-Of-Bounds READ Vulnerability in Skia
Reported by
zhouzhen...@gmail.com,
Apr 4 2018
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This issue was found by fuzzing against a 64-bit asan linux build of filter_fuzz_stub. VERSION Chrome Version: 66.0.3359.66 beta Operating System: Fedora 27 x86_64 https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-beta-66.0.3359.66.zip REPRODUCTION CASE ./filter_fuzz_stub /tmp/SEGV-Load1.fil [0404/110826.393282:INFO:filter_fuzz_stub.cc(60)] Test case: /tmp/SEGV-Load1.fil [0404/110826.393997:INFO:filter_fuzz_stub.cc(37)] Valid stream detected. AddressSanitizer:DEADLYSIGNAL ================================================================= ==23271==ERROR: AddressSanitizer: SEGV on unknown address 0x7f219cbf677c (pc 0x0000007d1eeb bp 0x7ffce30f3350 sp 0x7ffce30f3350 T0) ==23271==The signal is caused by a READ memory access. #0 0x7d1eea in Load1 third_party/skia/src/core/../opts/Sk4px_SSE2.h:18:83 #1 0x7d1eea in MapSrc<(lambda at ../../third_party/skia/src/opts/SkBlitRow_opts.h:36:36)> third_party/skia/src/core/Sk4px.h:125 #2 0x7d1eea in sse2::blit_row_color32(unsigned int*, unsigned int const*, int, unsigned int) third_party/skia/src/opts/SkBlitRow_opts.h:36 #3 0x8f8c81 in vertline third_party/skia/src/core/SkScan_Hairline.cpp:31:18 #4 0x8f8c81 in SkScan::HairLineRgn(SkPoint const*, int, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan_Hairline.cpp:140 #5 0x8fa7ad in void hair_path<(SkPaint::Cap)0>(SkPath const&, SkRasterClip const&, SkBlitter*, void (*)(SkPoint const*, int, SkRegion const*, SkBlitter*)) third_party/skia/src/core/SkScan_Hairline.cpp:551:17 #6 0x719e30 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const third_party/skia/src/core/SkDraw.cpp:1028:9 #7 0x71b77b in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const third_party/skia/src/core/SkDraw.cpp:1141:11 #8 0x716ba5 in drawPath third_party/skia/src/core/SkDraw.h:58:15 #9 0x716ba5 in SkDraw::drawPoints(SkCanvas::PointMode, unsigned long, SkPoint const*, SkPaint const&, SkBaseDevice*) const third_party/skia/src/core/SkDraw.cpp:663 #10 0x651832 in SkBitmapDevice::drawPoints(SkCanvas::PointMode, unsigned long, SkPoint const*, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:195:18 #11 0x6a08d4 in SkCanvas::onDrawPoints(SkCanvas::PointMode, unsigned long, SkPoint const*, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2004:23 #12 0x6997e3 in SkCanvas::drawPoints(SkCanvas::PointMode, unsigned long, SkPoint const*, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1740:11 #13 0x864c57 in draw<SkRecords::DrawPoints> third_party/skia/src/core/SkRecordDraw.cpp:117:1 #14 0x864c57 in operator()<SkRecords::DrawPoints> third_party/skia/src/core/SkRecordDraw.h:62 #15 0x864c57 in decltype ({parm#1}((SkRecords::NoOp)())) SkRecord::Record::visit<SkRecords::Draw&>(SkRecords::Draw&) const third_party/skia/src/core/SkRecord.h:165 #16 0x862afa in visit<SkRecords::Draw &> third_party/skia/src/core/SkRecord.h:42:28 #17 0x862afa in SkRecordDraw(SkRecord const&, SkCanvas*, SkPicture const* const*, SkDrawable* const*, int, SkBBoxHierarchy const*, SkPicture::AbortCallback*) third_party/skia/src/core/SkRecordDraw.cpp:52 #18 0x644acb in SkBigPicture::playback(SkCanvas*, SkPicture::AbortCallback*) const third_party/skia/src/core/SkBigPicture.cpp:33:5 #19 0x6b401d in SkCanvas::onDrawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2835:14 #20 0x6b38df in SkCanvas::drawPicture(SkPicture const*, SkMatrix const*, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2815:15 #21 0xb771ba in drawPicture third_party/skia/include/core/SkCanvas.h:2127:15 #22 0xb771ba in drawPicture third_party/skia/include/core/SkCanvas.h:2139 #23 0xb771ba in SkPictureImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPictureImageFilter.cpp:118 #24 0x769a30 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:214:40 #25 0x76ee00 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:513:41 #26 0xb6192d in SkMergeImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkMergeImageFilter.cpp:47:27 #27 0x769a30 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:214:40 #28 0x76ee00 in SkImageFilter::filterInput(int, SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:513:41 #29 0xb11f3b in SkColorFilterImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkColorFilterImageFilter.cpp:65:39 #30 0x769a30 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:214:40 #31 0x654e64 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:432:33 #32 0x69099d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1310:25 #33 0x68c500 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1198:19 #34 0x6a7ec6 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:496:22 #35 0x6a7ec6 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2318 #36 0x69c913 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1838:11 #37 0x633d78 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:47:13 #38 0x633d78 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66 #39 0x633d78 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:86 #40 0x7f21a19dcf29 in __libc_start_main (/lib64/libc.so.6+0x20f29) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV third_party/skia/src/core/../opts/Sk4px_SSE2.h:18:83 in Load1 ==23271==ABORTING
,
Apr 4 2018
,
Apr 4 2018
Confirmed it repros on the chrome/m66 branch of Skia: out/ASAN/fuzz -t filter_fuzz -b ~/Downloads/SEGV-Load1.fil This may be a duplicate of https://bugs.chromium.org/p/chromium/issues/detail?id=826166#c15 because I patched in the same 2 CLs I mentioned on that bug and the fuzzer no longer repros
,
Apr 4 2018
,
Jul 13
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 4 2018