Security: Skia: A NULL pointer dereference in SkCanvas::clipRect
Reported by
quangn...@gmail.com,
Sep 21
|
|||
Issue descriptionVULNERABILITY DETAILS There is a NULL pointer dereference issue in SkCanvas::clipRect function (src/core/SkCanvas.cpp), which can cause denial of service (crash). Developers should check `rect` value before using it. https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkCanvas.cpp?g=0&l=1327 VERSION Operating System: Linux Skia version: I use latest version in github(https://github.com/google/skia), commit https://github.com/google/skia/commit/7ca284b3e7684ae0dd300412a21d092df3d6741a REPRODUCTION CASE Build Skia with asserts disabled ``` bin/gn gen out/Release --args='is_debug=false' ninja -C out/Release ``` Run testcase: ``` ./out/Release/fuzz -t pipe -b SkCanvas_clipRect_null_pointer_dereference ``` Crate state: ``` Stopped reason: SIGSEGV 0x0000000000c1b019 in SkRect::isFinite (this=0x0) at ../../include/core/SkRect.h:846 846 accum *= fLeft; gdb-peda$ bt #0 0x0000000000c1b019 in SkRect::isFinite (this=0x0) at ../../include/core/SkRect.h:846 #1 0x0000000000d2f1f0 in SkCanvas::clipRect (this=0x25f2640, rect=..., op=65536, doAA=0x0) at ../../src/core/SkCanvas.cpp:1328 #2 0x0000000000e5c0d9 in clipRect_handler (reader=..., packedVerb=0x4020000, canvas=0x25f2640) at ../../src/pipe/SkPipeReader.cpp:276 #3 0x0000000000e5eb9a in do_playback (reader=..., canvas=0x25f2640, endPictureIndex=0x7fffffffcab8) at ../../src/pipe/SkPipeReader.cpp:855 #4 0x0000000000e5e2ba in definePicture_handler (reader=..., packedVerb=0x23000000, canvas=0x0) at ../../src/pipe/SkPipeReader.cpp:686 #5 0x0000000000e5e985 in SkPipeDeserializer::readPicture (this=0x7fffffffcd30, data=0x7ffff7ff6000, size=0x28) at ../../src/pipe/SkPipeReader.cpp:816 #6 0x0000000000c35059 in SkPipeDeserializer::readPicture (this=0x7fffffffcd30, data=0x25f1a10) at ../../src/core/SkPipe.h:63 #7 0x0000000000c38d3d in fuzz_skpipe (bytes=...) at ../../fuzz/FuzzMain.cpp:614 #8 0x0000000000c36276 in fuzz_file (path=..., type=...) at ../../fuzz/FuzzMain.cpp:189 #9 0x0000000000c35b74 in main (argc=0x5, argv=0x7fffffffe168) at ../../fuzz/FuzzMain.cpp:109 #10 0x00007ffff6061830 in __libc_start_main (main=0xc35a43 <main(int, char**)>, argc=0x5, argv=0x7fffffffe168, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe158) at ../csu/libc-start.c:291 #11 0x0000000000c1a569 in _start () ``` PATCH patch for this issue: ``` diff --git a/src/core/SkCanvas.cpp b/src/core/SkCanvas.cpp index 9566a34..bbf701f 100644 --- a/src/core/SkCanvas.cpp +++ b/src/core/SkCanvas.cpp @@ -1325,6 +1325,9 @@ void SkCanvas::resetMatrix() { ////////////////////////////////////////////////////////////////////////////// void SkCanvas::clipRect(const SkRect& rect, SkClipOp op, bool doAA) { + if (&rect == nullptr) { + return; + } if (!rect.isFinite()) { return; } ```
,
Sep 22
This issue is not a part of skia pipe bugs. It is from src/core/SkCanvas.cpp. Please review carefully.
,
Sep 22
Null ptr crash is not a security bug. Removing tags.
,
Sep 22
Like the other bug, this is a case of SkPipeReader.cpp violating the expectations of code that's otherwise fine. We're definitely cannot add null-reference checks to SkCanvas::clipRect(), if only because compilers will warn about them and perhaps optimize them away anyway. It's undefined behavior to have a null reference in C++, so it's not really technically possible to check for one. The null reference only happens because clipRect_handler() dereferenced a null pointer returned by reader.skipT<SkRect>(). Just like the other bug, the blame's on SkPipeReader.cpp, and I do think that makes this bug moot from a security perspective. (This is the very sort of bug we were hoping fuzzing would find in this pipe code, but again, it's not otherwise used.)
,
Jan 11
Setting defect without priority to Pri-2. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mbarbe...@chromium.org
, Sep 21Components: Internals>Skia
Labels: Security_Impact-None
Status: Available (was: Unconfirmed)