[Webkit-unassigned] [Bug 276589] New: [Skia] Use after free when serializing SkColorSpace
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jul 14 06:43:57 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=276589
Bug ID: 276589
Summary: [Skia] Use after free when serializing SkColorSpace
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at redhat.com
CC: bugs-noreply at webkitgtk.org
==48240== Invalid read of size 8
==48240== at 0x48518DF: memmove (vg_replace_strmem.c:1414)
==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62)
==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451)
==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736)
==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385)
==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526)
==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857)
==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557)
==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351)
==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349)
==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466)
==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003)
==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761)
==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194)
==48240== by 0x6F4BAAF: WebKit::WebPageProxy::launchProcess(WebCore::RegistrableDomain const&, WebKit::WebPageProxy::ProcessLaunchReason) (Source/WebKit/UIProcess/WebPageProxy.cpp:1212)
==48240== by 0x6F4FF28: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&, WebCore::ShouldOpenExternalURLsPolicy, API::Object*) (Source/WebKit/UIProcess/WebPageProxy.cpp:1821)
==48240== by 0x6F50A10: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&) (Source/WebKit/UIProcess/WebPageProxy.cpp:1842)
==48240== Address 0x85df6ce8 is 40 bytes inside a block of size 108 free'd
==48240== at 0x48476C6: operator delete(void*) (vg_replace_malloc.c:1131)
==48240== by 0x6D3FA17: unref (Source/ThirdParty/skia/include/core/SkRefCnt.h:181)
==48240== by 0x6D3FA17: SkSafeUnref<SkData> (Source/ThirdParty/skia/include/core/SkRefCnt.h:151)
==48240== by 0x6D3FA17: ~sk_sp (Source/ThirdParty/skia/include/core/SkRefCnt.h:256)
==48240== by 0x6D3FA17: dataReference (Source/WebKit/Shared/skia/CoreIPCSkColorSpace.h:50)
==48240== by 0x6D3FA17: IPC::ArgumentCoder<WebKit::CoreIPCSkColorSpace, void>::encode(IPC::Encoder&, WebKit::CoreIPCSkColorSpace const&) (WebKitPlatformGeneratedSerializers.cpp:5011)
==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62)
==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451)
==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736)
==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385)
==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526)
==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857)
==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557)
==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351)
==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349)
==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466)
==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003)
==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761)
==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194)
==48240== by 0x6F4BAAF: WebKit::WebPageProxy::launchProcess(WebCore::RegistrableDomain const&, WebKit::WebPageProxy::ProcessLaunchReason) (Source/WebKit/UIProcess/WebPageProxy.cpp:1212)
==48240== by 0x6F4FF28: WebKit::WebPageProxy::loadRequest(WebCore::ResourceRequest&&, WebCore::ShouldOpenExternalURLsPolicy, API::Object*) (Source/WebKit/UIProcess/WebPageProxy.cpp:1821)
==48240== Block was alloc'd at
==48240== at 0x4843FEC: operator new(unsigned long) (vg_replace_malloc.c:487)
==48240== by 0x9215A9E: PrivateNewWithCopy (Source/ThirdParty/skia/src/core/SkData.cpp:82)
==48240== by 0x9215A9E: SkData::MakeUninitialized(unsigned long) (Source/ThirdParty/skia/src/core/SkData.cpp:117)
==48240== by 0x9214B2D: SkColorSpace::serialize() const (Source/ThirdParty/skia/src/core/SkColorSpace.cpp:261)
==48240== by 0x6D3F9F2: dataReference (Source/WebKit/Shared/skia/CoreIPCSkColorSpace.h:50)
==48240== by 0x6D3F9F2: IPC::ArgumentCoder<WebKit::CoreIPCSkColorSpace, void>::encode(IPC::Encoder&, WebKit::CoreIPCSkColorSpace const&) (WebKitPlatformGeneratedSerializers.cpp:5011)
==48240== by 0x6B77877: operator<<<WebKit::CoreIPCSkColorSpace> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6B77877: IPC::ArgumentCoder<sk_sp<SkColorSpace>, void>::encode(IPC::Encoder&, sk_sp<SkColorSpace> const&) (Source/WebKit/Shared/skia/WebCoreArgumentCodersSkia.cpp:62)
==48240== by 0x6CD001E: operator<<<sk_sp<SkColorSpace> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: encode (GeneratedSerializers.cpp:23451)
==48240== by 0x6CD001E: operator<<<const WebCore::DestinationColorSpace &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CD001E: IPC::ArgumentCoder<WebCore::ScreenData, void>::encode(IPC::Encoder&, WebCore::ScreenData const&) (GeneratedSerializers.cpp:24736)
==48240== by 0x6D1B60C: operator<<<const WebCore::ScreenData &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: encode<IPC::Encoder, const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/ArgumentCoders.h:385)
==48240== by 0x6D1B60C: operator<<<const WTF::KeyValuePair<unsigned int, WebCore::ScreenData> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6D1B60C: void IPC::ArgumentCoder<WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits>, void>::encode<IPC::Encoder, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&>(IPC::Encoder&, WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> const&) (Source/WebKit/Platform/IPC/ArgumentCoders.h:526)
==48240== by 0x6CF9206: operator<<<const WTF::HashMap<unsigned int, WebCore::ScreenData, WTF::DefaultHash<unsigned int>, WTF::HashTraits<unsigned int>, WTF::HashTraits<WebCore::ScreenData>, WTF::HashTableTraits> &> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: encode (GeneratedSerializers.cpp:24857)
==48240== by 0x6CF9206: operator<<<WebCore::ScreenProperties> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6CF9206: IPC::ArgumentCoder<WebKit::WebProcessCreationParameters, void>::encode(IPC::Encoder&, WebKit::WebProcessCreationParameters&&) (GeneratedSerializers.cpp:48557)
==48240== by 0x6FACAE4: operator<<<WebKit::WebProcessCreationParameters> (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&>, 0UL> (Source/WebKit/Platform/IPC/ArgumentCoders.h:358)
==48240== by 0x6FACAE4: encode<IPC::Encoder, std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/ArgumentCoders.h:351)
==48240== by 0x6FACAE4: operator<<<std::tuple<WebKit::WebProcessCreationParameters &&> > (Source/WebKit/Platform/IPC/Encoder.h:80)
==48240== by 0x6FACAE4: sendWithAsyncReply<Messages::WebProcess::InitializeWebProcess, (lambda at /home/mcatanzaro/Projects/WebKit/Source/WebKit/UIProcess/WebProcessProxy.cpp:466:89)> (Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:349)
==48240== by 0x6FACAE4: WebKit::WebProcessProxy::initializeWebProcess(WebKit::WebProcessCreationParameters&&) (Source/WebKit/UIProcess/WebProcessProxy.cpp:466)
==48240== by 0x6FAB4C9: WebKit::WebProcessPool::initializeNewWebProcess(WebKit::WebProcessProxy&, WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::IsPrewarmed) (Source/WebKit/UIProcess/WebProcessPool.cpp:1003)
==48240== by 0x6FABC06: WebKit::WebProcessPool::createNewWebProcess(WebKit::WebsiteDataStore*, WebKit::WebProcessProxy::LockdownMode, WebKit::WebProcessProxy::IsPrewarmed, WebCore::CrossOriginMode) (Source/WebKit/UIProcess/WebProcessPool.cpp:761)
==48240== by 0x6FAE0FA: WebKit::WebProcessPool::processForRegistrableDomain(WebKit::WebsiteDataStore&, WebCore::RegistrableDomain const&, WebKit::WebProcessProxy::LockdownMode, API::PageConfiguration const&) (Source/WebKit/UIProcess/WebProcessPool.cpp:1194)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240714/bff66030/attachment-0001.htm>
More information about the webkit-unassigned
mailing list