Security: Skia: Undefined behavior (memcpy with NULL pointer) in SkRRect::readFromMemory (src/core/SkRRect.cpp)
Reported by
quangn...@gmail.com,
Sep 21
|
|||
Issue descriptionVULNERABILITY DETAILS There is an undefined behavior (memcpy with null pointer) in SkRRect::readFromMemory function (src/core/SkRRect.cpp), which can cause denial of service (crash) or possibly other unspecified impacts via a crafted input. Check the following line: https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkRRect.cpp?l=531 run-time error: null pointer passed as argument 1, which is declared to never be null VERSION Operating System: Linux Skia version: I use latest version in github(https://github.com/google/skia), hash 05cf051f0252c601eefb32cfb58738d15bdc0c5d REPRODUCTION CASE Build Skia with asserts disabled ``` bin/gn gen out/Release --args='is_debug=false' ninja -C out/Release ``` Run test-case: ``` ./out/Release/fuzz -t pipe -b SkRRect_readFromMemory_null_pointer ``` Crate state: ``` Stopped reason: SIGSEGV __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:114 114 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory. gdb-peda$ bt #0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:114 #1 0x0000000000e214c6 in SkRRect::readFromMemory (this=0x7fffffffc9d0, buffer=0x0, length=0x30) at ../../src/core/SkRRect.cpp:531 #2 0x0000000000e5ac28 in read_rrect (reader=...) at ../../src/pipe/SkPipeReader.cpp:112 #3 0x0000000000e5b84b in clipRRect_handler (reader=..., packedVerb=0x5050505, canvas=0x25f2650) at ../../src/pipe/SkPipeReader.cpp:297 #4 0x0000000000e5e2ef in do_playback (reader=..., canvas=0x25f2650, endPictureIndex=0x7fffffffcab8) at ../../src/pipe/SkPipeReader.cpp:876 #5 0x0000000000e5d9c6 in definePicture_handler (reader=..., packedVerb=0x23000000, canvas=0x0) at ../../src/pipe/SkPipeReader.cpp:700 #6 0x0000000000e5e09f in SkPipeDeserializer::readPicture (this=0x7fffffffcd30, data=0x7ffff7ff6000, size=0x60) at ../../src/pipe/SkPipeReader.cpp:832 #7 0x0000000000c35087 in SkPipeDeserializer::readPicture (this=0x7fffffffcd30, data=0x25f1a10) at ../../src/core/SkPipe.h:63 #8 0x0000000000c3848d in fuzz_skpipe (bytes=...) at ../../fuzz/FuzzMain.cpp:614 #9 0x0000000000c36032 in fuzz_file (path=..., type=...) at ../../fuzz/FuzzMain.cpp:189 #10 0x0000000000c35ba2 in main (argc=0x5, argv=0x7fffffffe158) at ../../fuzz/FuzzMain.cpp:109 #11 0x00007ffff6061830 in __libc_start_main (main=0xc35a71 <main(int, char**)>, argc=0x5, argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at ../csu/libc-start.c:291 #12 0x0000000000c1a5b9 in _start () ``` PATCH patch for this issue: ``` diff --git a/src/core/SkRRect.cpp b/src/core/SkRRect.cpp index da3cf8e..9a1a11a 100644 --- a/src/core/SkRRect.cpp +++ b/src/core/SkRRect.cpp @@ -527,6 +527,10 @@ size_t SkRRect::readFromMemory(const void* buffer, size_t length) { return 0; } + if (!buffer) { + return 0; + } + SkRRect raw; memcpy(&raw, buffer, kSizeInMemory); this->setRectRadii(raw.fRect, raw.fRadii); ```
,
Sep 22
This issue is not a part of skia pipe bugs. It is from src/core/SkRRect.cpp. Please review carefully.
,
Sep 22
Null ptr deference is not a security vulnerability, removing tags.
,
Sep 22
I think the idea here is that this is only a problem when called with a null buffer pointer, which is a breach of the internal contracts we have for this sort of deserialization code. The bug belongs to SkPipeReader.cpp for violating that contract. If we make any change to SkRRect::readFromMemory(), I think I'd like it to stop at `SkASSERT(buffer);` somewhere early on for now.
,
Jan 11
Setting defect without priority to Pri-2. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mbarbe...@chromium.org
, Sep 21Components: Internals>Skia
Labels: Security_Impact-None
Status: Available (was: Unconfirmed)