My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 121926: Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  schen...@chromium.org
Closed:  Dec 2012
Cc:  pdr@chromium.org

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by attek...@gmail.com, Apr 4, 2012
repro-file as attachment

VERSION
Chrome Version: 20.0.1092.0 (Developer Build 130641) ASAN
Operating System: Ubuntu 11.04 x86_64

ASAN-report:

==28168== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f885f2102b4 at pc 0x7f8877238bf1 bp 0x7fff020044f0 sp 0x7fff020044e8
READ of size 1 at 0x7f885f2102b4 thread T0
    #0 0x7f8877238bf1 in WebCore::FEConvolveMatrix::platformApplySoftware() ???:0
    #1 0x7f8875387f93 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0
    #2 0x7f88750a9df0 in WebCore::SVGRenderingContext::~SVGRenderingContext() ???:0
    #3 0x7f88753fd1db in WebCore::RenderSVGContainer::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #4 0x7f88745b8367 in WebCore::RenderBox::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #5 0x7f887508a478 in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #6 0x7f887477504b in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #7 0x7f88746ba6b8 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #8 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #9 0x7f88746bb17e in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #10 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #11 0x7f88746b611d in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) ???:0
    #12 0x7f88740066a5 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #13 0x7f8873517a7c in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #14 0x7f8872b2e716 in WebKit::WebFrameImpl::paintWithContext(WebCore::GraphicsContext&, WebKit::WebRect const&) ???:0
    #15 0x7f8872b2ea5c in WebKit::WebFrameImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #16 0x7f8872b698a9 in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #17 0x7f8876568ed8 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) ???:0
    #18 0x7f887655ed40 in RenderWidget::DoDeferredUpdate() ???:0
    #19 0x7f88765622b5 in RenderWidget::OnUpdateRectAck() ???:0
    #20 0x7f88765608ec in RenderWidget::OnMessageReceived(IPC::Message const&) ???:0
    #21 0x7f8876512d92 in RenderViewImpl::OnMessageReceived(IPC::Message const&) ???:0
    #22 0x7f887266e749 in MessageRouter::RouteMessage(IPC::Message const&) ???:0
    #23 0x7f887266e5b0 in MessageRouter::OnMessageReceived(IPC::Message const&) ???:0
    #24 0x7f88725878d2 in ChildThread::OnMessageReceived(IPC::Message const&) ???:0
    #25 0x7f88712bfa13 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ???:0
    #26 0x7f88711ac171 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #27 0x7f88711ac916 in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #28 0x7f88711adbfb in MessageLoop::DoWork() ???:0
    #29 0x7f88711b8207 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ???:0
    #30 0x7f88711aadde in MessageLoop::RunInternal() ???:0
    #31 0x7f88711a8fcf in MessageLoop::Run() ???:0
    #32 0x7f88765858ee in RendererMain(content::MainFunctionParams const&) ???:0
    #33 0x7f88710bcb62 in (anonymous namespace)::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:0
    #34 0x7f88710bb1ba in content::ContentMain(int, char const**, content::ContentMainDelegate*) ???:0
    #35 0x7f886fcb38c7 in ChromeMain ??:0
    #36 0x7f886fcb382b in main ???:0
    #37 0x7f8868e63eff in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x7f885f2102b4 is located 0 bytes to the right of 52-byte region [0x7f885f210280,0x7f885f2102b4)
allocated by thread T0 here:
    #0 0x7f88778ef782 in operator new[](unsigned long) ??:0
    #1 0x7f8872dfac76 in WTF::ByteArray::create(unsigned long) ???:0
    #2 0x7f88737b66c2 in WebCore::FilterEffect::asPremultipliedImage(WebCore::IntRect const&) ???:0
    #3 0x7f8877237573 in WebCore::FEConvolveMatrix::platformApplySoftware() ???:0
    #4 0x7f8875387f93 in WebCore::RenderSVGResourceFilter::postApplyResource(WebCore::RenderObject*, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) ???:0
    #5 0x7f88750a9df0 in WebCore::SVGRenderingContext::~SVGRenderingContext() ???:0
    #6 0x7f88753fd1db in WebCore::RenderSVGContainer::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #7 0x7f88745b8367 in WebCore::RenderBox::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #8 0x7f887508a478 in WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #9 0x7f887477504b in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ???:0
    #10 0x7f88746ba6b8 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #11 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #12 0x7f88746bb17e in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #13 0x7f88746b7605 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) ???:0
    #14 0x7f88746b611d in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) ???:0
    #15 0x7f88740066a5 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #16 0x7f8873517a7c in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) ???:0
    #17 0x7f8872b2e716 in WebKit::WebFrameImpl::paintWithContext(WebCore::GraphicsContext&, WebKit::WebRect const&) ???:0
    #18 0x7f8872b2ea5c in WebKit::WebFrameImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #19 0x7f8872b698a9 in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) ???:0
    #20 0x7f8876568ed8 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) ???:0
    #21 0x7f887655ed40 in RenderWidget::DoDeferredUpdate() ???:0
    #22 0x7f88765622b5 in RenderWidget::OnUpdateRectAck() ???:0
==28168== ABORTING
Stats: 3M malloced (6M for red zones) by 24596 calls
Stats: 0M realloced by 51 calls
Stats: 2M freed by 11338 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11270 full pages) mmaped in 11 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32;
  mallocs by size class: 8:21571; 9:1460; 10:1022; 11:343; 12:64; 13:28; 14:91; 15:7; 16:9; 17:1;
  frees   by size class: 8:9090; 9:1022; 10:862; 11:228; 12:33; 13:17; 14:80; 15:3; 16:3;
  rfrees  by size class:
Stats: malloc large: 1 small slow: 97
Shadow byte and word:
  0x1ff10be42056: 4
  0x1ff10be42050: 00 00 00 00 00 00 04 fb
More shadow bytes:
  0x1ff10be42030: 00 00 00 00 00 00 04 fb
  0x1ff10be42038: fb fb fb fb fb fb fb fb
  0x1ff10be42040: fa fa fa fa fa fa fa fa
  0x1ff10be42048: fa fa fa fa fa fa fa fa
=>0x1ff10be42050: 00 00 00 00 00 00 04 fb
  0x1ff10be42058: fb fb fb fb fb fb fb fb
  0x1ff10be42060: fa fa fa fa fa fa fa fa
  0x1ff10be42068: fa fa fa fa fa fa fa fa
  0x1ff10be42070: 00 00 04 fb fb fb fb fb

home-heap-buffer-overflow-8f0.svg
643 bytes   View   Download
Apr 4, 2012
#1 pal...@chromium.org
I hit an assert (Aw Snap) in non-ASAN build on ToT on Linux, FWIW. Doesn't seem to pop on 18.
Status: Available
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit OS-All SecSeverity-Medium SecImpacts-None
Apr 10, 2012
#2 infe...@chromium.org
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35334708

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7ffc2e12d6b4
Crash State:
  - crash stack -
  WebCore::FEConvolveMatrix::platformApplySoftware
  WebCore::RenderSVGResourceFilter::postApplyResource
  WebCore::SVGRenderingContext::~SVGRenderingContext
  

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96LIXdSAHLvgZUoCSEUhruRvk06HV_Ck7HAnXYdlXwej3V1t-zxBmcNlbgY-o4mwlm56RGTbz3MDfRNoMw6TOY7i7Pj8aMQ1AMJc7EXu2p1o2dakteXK7PBMF_HB34ElVO9-RfaGlmKmOiVnbw2-HdG0DJkTQ
<svg xmlns="http://www.w3.org/2000/svg">

<filter id="f1">
  <feConvolveMatrix
   order="-3" kernelMatrix="0 1 0   1 1 1   0 1 0"/>
</filter>
<g filter="url(#f1)">
  <rect y="0" width="1" height="1">
Summary: Heap-buffer-overflow in WebCore::FEConvolveMatrix::platformApplySoftware
Apr 10, 2012
#3 infe...@chromium.org
We need to be careful with the correct Milestone and Secimpacts label. ClusterFuzz helps a lot here, if it doesn't, we should just validate using asanified stable, beta builds from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
Labels: -SecImpacts-None SecImpacts-Stable SecImpacts-Beta Mstone-18 Stability-AddressSanitizer
Apr 11, 2012
#4 infe...@chromium.org
Stephen Sir!, need your help with triage.
Status: Assigned
Owner: schen...@chromium.org
Cc: pdr@chromium.org
Labels: WebKit-SVG
Apr 18, 2012
#5 attek...@gmail.com
Any progress with this one?
Apr 19, 2012
#6 schen...@chromium.org
On it now. You may have heard about the chaos in the office.
Apr 19, 2012
#7 jschuh@chromium.org
I don't think attekett would be (since he's the external reporter). However, the security team is aware of that and the WebKit meet-up adding latency at the moment. So, thanks for still being on top of this stuff considering the circumstances.
Apr 19, 2012
#8 schen...@chromium.org
Simple issue with invalid input values.

https://bugs.webkit.org/show_bug.cgi?id=84363
Status: Started
Apr 26, 2012
#9 schen...@chromium.org
WebKit Committed r115316: <http://trac.webkit.org/changeset/115316>
Status: Fixed
Apr 26, 2012
#10 infe...@chromium.org
(No comment was entered for this change.)
Status: FixUnreleased
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Apr 26, 2012
#11 ke...@chromium.org
Thanks Stephen.
Apr 26, 2012
#12 attek...@gmail.com
Worth reward-topanel?
Apr 26, 2012
#13 infe...@chromium.org
Definitely!, dont worry if we dont add the tag early. We eventually do the reward nominations when we are closer to release.
Labels: reward-topanel
Apr 27, 2012
Project Member #14 clusterfuzz@chromium.org
ClusterFuzz has detected this issue as fixed in range 134140:134155.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=35334708

Uploader: inferno@chromium.org

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7ffc2e12d6b4
Crash State:
  - crash stack -
  WebCore::FEConvolveMatrix::platformApplySoftware
  WebCore::RenderSVGResourceFilter::postApplyResource
  WebCore::SVGRenderingContext::~SVGRenderingContext
  
Fixed: https://cluster-fuzz.appspot.com/revisions?range=134140:134155

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96LIXdSAHLvgZUoCSEUhruRvk06HV_Ck7HAnXYdlXwej3V1t-zxBmcNlbgY-o4mwlm56RGTbz3MDfRNoMw6TOY7i7Pj8aMQ1AMJc7EXu2p1o2dakteXK7PBMF_HB34ElVO9-RfaGlmKmOiVnbw2-HdG0DJkTQ

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
May 4, 2012
#15 scarybea...@gmail.com
We think it would be hard to recover the OOB content, so letting it roll into M20 seems sane.
Labels: -Mstone-18 -Merge-Approved Mstone-20
May 4, 2012
#16 scarybea...@gmail.com
Since we think it's hard to recover the OOB content, the panel didn't find this a rewardable issue, unfortunately. Let us know if you think there's an aspect to this bug that we may have missed.
Labels: -reward-topanel
Jun 25, 2012
#17 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: CVE-2012-2820
Oct 13, 2012
#18 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Dec 20, 2012
#19 jschuh@chromium.org
(No comment was entered for this change.)
Status: Fixed
Mar 9, 2013
#20 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Type-Security -Area-WebKit -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Mstone-20 -Stability-AddressSanitizer -WebKit-SVG Cr-Content M-20 Cr-Content-SVG Security-Impact-Stable Security-Impact-Beta Security-Severity-Medium Performance-Memory-AddressSanitizer Type-Bug-Security
Mar 13, 2013
#21 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: Restrict-View-EditIssue
Mar 13, 2013
#22 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#23 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Mar 21, 2013
#24 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Mar 21, 2013
#25 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-Medium Security_Severity-Medium
Mar 21, 2013
#26 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Beta Security_Impact-Beta
Apr 1, 2013
#27 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Apr 5, 2013
#28 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Apr 5, 2013
#29 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content-SVG Cr-Blink-SVG
Sign in to add a comment

Powered by Google Project Hosting