Security: Skia: out-of-bounds read in SkPipeDeserializer::readPicture and SkPipeDeserializer::readImage
Reported by
quangn...@gmail.com,
Sep 21
|
||||
Issue descriptionVULNERABILITY DETAILS The following line, SkPipeDeserializer::readPicture will use `index` to access item in `fImpl->fPictures`. This mistake leads to access out-of-bounds by using `index`. Notice that, `SkASSERT` is disabled in Release build configuration: https://cs.chromium.org/chromium/src/third_party/skia/src/pipe/SkPipeReader.cpp?g=0&l=827 ``` int index = unpack_verb_extra(packedVerb); if (0 == index) { return nullptr; // writer failed } return sk_ref_sp(fImpl->fPictures.get(index - 1)); //out-of-bounds read ``` A similar vulnerability is found in SkPipeDeserializer::readImage. https://cs.chromium.org/chromium/src/third_party/skia/src/pipe/SkPipeReader.cpp?g=0&l=797 VERSION Operating System: Linux Skia version: I use latest version in github(https://github.com/google/skia), commit https://github.com/google/skia/commit/05cf051f0252c601eefb32cfb58738d15bdc0c5d REPRODUCTION CASE Build Skia with asserts disabled ``` bin/gn gen out/Release --args='is_debug=false' ninja -C out/Release ``` Run testcase: ``` ./out/Release/fuzz -t pipe -b SkPipeDeserializer_readPicture_oob ``` Crate state: ``` Program received signal SIGSEGV, Segmentation fault. 0x0000000000c1acf3 in std::__atomic_base<int>::fetch_add (__m=std::memory_order_relaxed, __i=1, this=0x7f02f883000000c0) at /usr/include/c++/5/bits/atomic_base.h:514 514 { return __atomic_fetch_add(&_M_i, __i, __m); } (gdb) bt #0 0x0000000000c1acf3 in std::__atomic_base<int>::fetch_add (__m=std::memory_order_relaxed, __i=1, this=0x7f02f883000000c0) at /usr/include/c++/5/bits/atomic_base.h:514 #1 SkRefCntBase::ref (this=0x7f02f883000000b8) at ../../include/core/SkRefCnt.h:76 #2 0x0000000000e5f93e in SkSafeRef<SkPicture> (obj=0x7f02f883000000b8) at ../../include/core/SkRefCnt.h:153 #3 0x0000000000e5f2d6 in sk_ref_sp<SkPicture> (obj=0x7f02f883000000b8) at ../../include/core/SkRefCnt.h:416 #4 0x0000000000e5e79d in SkPipeDeserializer::readPicture (this=0x7fffffffcd20, data=0x7ffff7ff6000, size=12) at ../../src/pipe/SkPipeReader.cpp:827 #5 0x0000000000c34f89 in SkPipeDeserializer::readPicture (this=0x7fffffffcd20, data=0x25f1a10) at ../../src/core/SkPipe.h:63 #6 0x0000000000c38c6d in fuzz_skpipe (bytes=...) at ../../fuzz/FuzzMain.cpp:614 #7 0x0000000000c361a6 in fuzz_file (path=..., type=...) at ../../fuzz/FuzzMain.cpp:189 #8 0x0000000000c35aa4 in main (argc=5, argv=0x7fffffffe158) at ../../fuzz/FuzzMain.cpp:109 (gdb) ```
,
Sep 21
,
Sep 21
Bulk edit of recently filed skia pipe bugs.
,
Sep 22
,
Dec 29
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by quangn...@gmail.com
, Sep 214.0 KB
4.0 KB Download