[Webkit-unassigned] [Bug 276711] New: [GStreamer][WebRTC] heap-buffer-overflow in EndPoint
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 17 04:48:49 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=276711
Bug ID: 276711
Summary: [GStreamer][WebRTC] heap-buffer-overflow in EndPoint
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: philn at igalia.com
==1154655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5250008ec845 at pc 0x00000027aeff bp 0x7fff11793cb0 sp 0x7fff11793478
READ of size 7986 at 0x5250008ec845 thread T0
#0 0x27aefe in strlen (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x27aefe) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1)
#1 0x7f9c4f3e0f87 in gst_sdp_message_new_from_text /_build/../gstreamer/subprojects/gst-plugins-base/gst-libs/gst/sdp/gstsdpmessage.c:259:60
#2 0x7f9c73ebc10e in WebCore::GStreamerMediaEndpoint::setDescription(WebCore::RTCSessionDescription const*, WebCore::GStreamerMediaEndpoint::DescriptionType, WTF::Function<void (GstSDPMessage const&)>&&, WTF::Function<void (GstSDPMessage const&)>&&, WTF::Function<void (_GError const*)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:589:13
#3 0x7f9c73ebb43a in WebCore::GStreamerMediaEndpoint::doSetLocalDescription(WebCore::RTCSessionDescription const*) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:441:5
#4 0x7f9c73ed41bc in WebCore::GStreamerPeerConnectionBackend::doSetLocalDescription(WebCore::RTCSessionDescription const*) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerPeerConnectionBackend.cpp:196:17
#5 0x7f9c73d9707c in WebCore::PeerConnectionBackend::setLocalDescription(WebCore::RTCSessionDescription const*, WTF::Function<void (WebCore::ExceptionOr<void>&&)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/PeerConnectionBackend.cpp:192:5
#6 0x7f9c73e23817 in WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::$_0::operator()(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:299:20
#7 0x7f9c73e23490 in WTF::Detail::CallableWrapper<WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::$_0, void, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&>::call(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:53:39
#8 0x7f9c6f94ec23 in WTF::Function<void (WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>::operator()(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:82:35
#9 0x7f9c73dfb2c5 in WebCore::RTCPeerConnection::chainOperation(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&, WTF::Function<void (WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:970:5
#10 0x7f9c73dfbc6b in WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:286:5
#11 0x7f9c722c4e35 in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()::operator()() const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1019:187
#12 0x7f9c722c4b40 in JSC::JSValue WebCore::toJS<WebCore::IDLPromise<WebCore::IDLUndefined>, WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()&&) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMConvertBase.h:205:13
#13 0x7f9c722c42ac in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1019:55
#14 0x7f9c722c6006 in long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) const /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:54:20
#15 0x7f9c722c46c5 in JSC::JSValue WebCore::callPromiseFunction<long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:382:5
#16 0x7f9c722c3ed0 in long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:41:37
#17 0x7f9c722c0c83 in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescription(JSC::JSGlobalObject*, JSC::CallFrame*) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1024:12
#18 0x7f9bf240c037 (<unknown module>)
0x5250008ec845 is located 0 bytes after 8005-byte region [0x5250008ea900,0x5250008ec845)
allocated by thread T0 here:
#0 0x2fe4c3 in malloc (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x2fe4c3) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1)
#1 0x7f9c5b89360b in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /var/home/phil/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:118:20
#2 0x7f9c5b894117 in pas_debug_heap_malloc /var/home/phil/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:223:38
#3 0x7f9c5babe2dc in pas_debug_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/pas_debug_heap.h:106:22
#4 0x7f9c5bab3ef2 in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_allocation_mode, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long, pas_allocation_mode), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long, pas_allocation_mode), pas_intrinsic_heap_designation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:105:16
#5 0x7f9c5b9f91d2 in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long, pas_allocation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69
#6 0x7f9c5b9f42af in bmalloc_allocate_casual /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64:19
#7 0x7f9c5af083cd in bmalloc_allocate_inline(unsigned long, pas_allocation_mode) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120:12
#8 0x7f9c5af04293 in bmalloc::api::malloc(unsigned long, bmalloc::CompactAllocationMode, bmalloc::HeapKind) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/bmalloc/Headers/bmalloc/bmalloc.h:75:16
#9 0x7f9c5af04293 in WTF::fastCompactMalloc(unsigned long) /var/home/phil/WebKit/Source/WTF/wtf/FastMalloc.cpp:709:20
#10 0x7f9c57131b94 in WTF::FastCompactMalloc::malloc(unsigned long) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/FastMalloc.h:278:47
#11 0x7f9c5b7ec7a9 in WTF::Ref<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>> WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(unsigned long, unsigned char*&) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:190:51
#12 0x7f9c5b7ee4e4 in WTF::Ref<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>> WTF::StringImpl::createInternal<unsigned char>(std::span<unsigned char const, 18446744073709551615ul>) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:262:19
#13 0x7f9c5b7ee391 in WTF::StringImpl::create(std::span<unsigned char const, 18446744073709551615ul>) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:274:12
#14 0x7f9c5b83d92c in WTF::StringImpl::createFromCString(char const*) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.h:256:86
#15 0x7f9c5b83d844 in WTF::String::String(char const*) /var/home/phil/WebKit/Source/WTF/wtf/text/WTFString.cpp:61:46
#16 0x7f9c6d79180f in WTF::String::fromLatin1(char const*) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/text/WTFString.h:65:70
#17 0x7f9c73f2913b in WebCore::GStreamerMediaEndpoint::createSessionDescriptionSucceeded(std::unique_ptr<_GstWebRTCSessionDescription, WTF::GPtrDeleter<_GstWebRTCSessionDescription>>&&)::$_0::operator()() const /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:1540:26
#18 0x7f9c73f28f68 in WTF::Detail::CallableWrapper<WebCore::GStreamerMediaEndpoint::createSessionDescriptionSucceeded(std::unique_ptr<_GstWebRTCSessionDescription, WTF::GPtrDeleter<_GstWebRTCSessionDescription>>&&)::$_0, void>::call() /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:53:39
#19 0x7f9c57e5e513 in WTF::Function<void ()>::operator()() const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:82:35
#20 0x7f9c5b150c39 in WTF::RunLoop::performWork() /var/home/phil/WebKit/Source/WTF/wtf/RunLoop.cpp:147:9
#21 0x7f9c5b86acb8 in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42
#22 0x7f9c5b86ac3e in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43
#23 0x7f9c5b86ab2d in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
#24 0x7f9c5b867abe in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
#25 0x7f9c50443e8b (/lib64/libglib-2.0.so.0+0x5ce8b) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
#26 0x7f9c504a5c97 (/lib64/libglib-2.0.so.0+0xbec97) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
#27 0x7f9c50449f36 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x62f36) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649)
#28 0x7f9c5b868c58 in WTF::RunLoop::run() /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
#29 0x7f9c6f8d15a1 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /var/home/phil/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72:9
#30 0x7f9c6f8c3e74 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /var/home/phil/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98:27
SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x27aefe) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1) in strlen
Shadow bytes around the buggy address:
0x5250008ec580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x5250008ec600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x5250008ec680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x5250008ec700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x5250008ec780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x5250008ec800: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
0x5250008ec880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x5250008ec900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x5250008ec980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x5250008eca00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x5250008eca80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1154655==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240717/c9716757/attachment-0001.htm>
More information about the webkit-unassigned
mailing list