ASSERT assert(count <= std::numeric_limits<uint32_t>::max() / sizeof(T))
Reported by
zhouzhen...@gmail.com,
Jun 14 2018
|
|||||
Issue descriptionVULNERABILITY DETAILS This issue was found by fuzzing against a 64-bit asan linux build of filter_fuzz_stub. VERSION Chrome Version: stable-67.0.3396.87 Operating System: Fedora 28 x86_64 https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-stable-67.0.3396.87.zip REPRODUCTION CASE ./filter_fuzz_stub /tmp/tests_6cade25eb71d7813591ab4fc47da381ba2130460 [0614/114552.860650:INFO:filter_fuzz_stub.cc(60)] Test case: /tmp/tests_6cade25eb71d7813591ab4fc47da381ba2130460 [0614/114552.860953:INFO:filter_fuzz_stub.cc(37)] Valid stream detected. [0614/114627.404292:INFO:SkArenaAlloc.h(183)] ../../third_party/skia/src/core/SkArenaAlloc.h:183: fatal error: "assert(count <= std::numeric_limits<uint32_t>::max() / sizeof(T))" AddressSanitizer:DEADLYSIGNAL ================================================================= ==5631==ERROR: AddressSanitizer: ABRT on unknown address 0x03e8000015ff (pc 0x7f01ec2dcf2b bp 0x7ffefee20630 sp 0x7ffefee203e0 T0) SCARINESS: 10 (signal) #0 0x7f01ec2dcf2a in __GI_raise (/lib64/libc.so.6+0x36f2a) #1 0x7f01ec2c7560 in __GI_abort (/lib64/libc.so.6+0x21560) #2 0xe50f4d in sk_abort_no_print() skia/ext/SkMemory_new_handler.cpp:33:5 #3 0x6f9dca in operator() third_party/skia/src/core/SkArenaAlloc.h:183:9 #4 0x6f9dca in commonArrayAlloc<SkLine> third_party/skia/src/core/SkArenaAlloc.h:183 #5 0x6f9dca in makeArrayDefault<SkLine> third_party/skia/src/core/SkArenaAlloc.h:118 #6 0x6f9dca in SkEdgeBuilder::buildPoly(SkPath const&, SkIRect const*, int, bool) third_party/skia/src/core/SkEdgeBuilder.cpp:282 #7 0x6fb2ae in SkEdgeBuilder::build(SkPath const&, SkIRect const*, int, bool, SkEdgeBuilder::EdgeType) third_party/skia/src/core/SkEdgeBuilder.cpp:354:22 #8 0x8d3295 in gen_alpha_deltas<SkCoverageDeltaMask> third_party/skia/src/core/SkScan_DAAPath.cpp:159:26 #9 0x8d3295 in SkScan::DAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool, SkDAARecord*) third_party/skia/src/core/SkScan_DAAPath.cpp:363 #10 0x8e5df5 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) third_party/skia/src/core/SkScan_AntiPath.cpp:803:9 #11 0x8e6cca in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) third_party/skia/src/core/SkScan_AntiPath.cpp:846:9 #12 0x6e1204 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const third_party/skia/src/core/SkDraw.cpp:1022:9 #13 0x6e2b4d in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const third_party/skia/src/core/SkDraw.cpp:1136:11 #14 0x6e01e8 in drawPath third_party/skia/src/core/SkDraw.h:58:15 #15 0x6e01e8 in draw_rect_as_path(SkDraw const&, SkRect const&, SkPaint const&, SkMatrix const*) third_party/skia/src/core/SkDraw.cpp:739 #16 0x6df505 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:766:9 #17 0x607299 in drawRect third_party/skia/src/core/SkDraw.h:44:15 #18 0x607299 in SkBitmapDevice::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:307 #19 0x668851 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1966:27 #20 0x65f93f in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1637:11 #21 0xafbb31 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13 #22 0x731e30 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40 #23 0x60aea4 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:550:33 #24 0x657b0d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1237:25 #25 0x653a90 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1125:19 #26 0x6688b1 in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:429:22 #27 0x6688b1 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1962 #28 0x65f93f in SkCanvas::drawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1637:11 #29 0xafbb31 in SkPaintImageFilter::onFilterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/effects/SkPaintImageFilter.cpp:66:13 #30 0x731e30 in SkImageFilter::filterImage(SkSpecialImage*, SkImageFilter::Context const&, SkIPoint*) const third_party/skia/src/core/SkImageFilter.cpp:213:40 #31 0x60aea4 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) third_party/skia/src/core/SkBitmapDevice.cpp:550:33 #32 0x657b0d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) third_party/skia/src/core/SkCanvas.cpp:1237:25 #33 0x653a90 in SkCanvas::internalRestore() third_party/skia/src/core/SkCanvas.cpp:1125:19 #34 0x66f21b in ~AutoDrawLooper third_party/skia/src/core/SkCanvas.cpp:429:22 #35 0x66f21b in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2259 #36 0x663a83 in SkCanvas::drawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:1765:11 #37 0x5e9008 in RunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:47:13 #38 0x5e9008 in ReadAndRunTestCase skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:66 #39 0x5e9008 in main skia/tools/filter_fuzz_stub/filter_fuzz_stub.cc:86 #40 0x7f01ec2c918a in __libc_start_main (/lib64/libc.so.6+0x2318a) #41 0x515029 in _start (/home/henices/research/asan-linux-stable-67.0.3396.87/filter_fuzz_stub+0x515029) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: ABRT (/lib64/libc.so.6+0x36f2a) in __GI_raise ==5631==ABORTING
,
Jun 14 2018
looks like an OOM just trying to allocate more than memory limits, so I'm struggling to see the security implications here, but let's see what CF thinks.
,
Jun 14 2018
this is hitting a release assert at trying to allocate too much memory. I'm so sure this has no security implications that I'm flipping the bits. Skia team, can you pick this up, perhaps parsing is going wrong somewhere?
,
Jun 15 2018
The NextAction date has arrived: 2018-06-15
,
Jul 30
Testcase 5022801283776512 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5022801283776512.
,
Jul 30
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 14 2018