Bug 309763

Summary: [WPE] AddressSanitizer: heap-buffer-overflow in WPEToplevelWayland.cpp
Product: WebKit Reporter: Fujii Hironori <fujii>
Component: WPE WebKitAssignee: Fujii Hironori <fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply
Priority: P2 Keywords: DoNotImportToRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Fujii Hironori
Reported 2026-03-12 00:29:35 PDT
[WPE] AddressSanitizer: heap-buffer-overflow in WPEToplevelWayland.cpp I compiled WPE MiniBrowser with ASan, but it crashes immediately after starting. ==959007==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5110000f4240 at pc 0x7f8d4bdb8fe6 bp 0x7ffe119d7a30 sp 0x7ffe119d7a28 READ of size 4 at 0x5110000f4240 thread T0 #0 0x7f8d4bdb8fe5 in $_7::__invoke(void*, xdg_toplevel*, int, int, wl_array*) WPEToplevelWayland.cpp #1 0x7f8d3ede4b15 (/lib/x86_64-linux-gnu/libffi.so.8+0x7b15) (BuildId: c9149b6e99105aa4321ddd4a10ee4b90de7b7d49) #2 0x7f8d3ede13ee (/lib/x86_64-linux-gnu/libffi.so.8+0x43ee) (BuildId: c9149b6e99105aa4321ddd4a10ee4b90de7b7d49) #3 0x7f8d3ede40bd in ffi_call (/lib/x86_64-linux-gnu/libffi.so.8+0x70bd) (BuildId: c9149b6e99105aa4321ddd4a10ee4b90de7b7d49) #4 0x7f8d4107abfd (/lib/x86_64-linux-gnu/libwayland-client.so.0+0x6bfd) (BuildId: 4c3fb152910da1137601f54df6b41e9fced9a75a) #5 0x7f8d4107b472 (/lib/x86_64-linux-gnu/libwayland-client.so.0+0x7472) (BuildId: 4c3fb152910da1137601f54df6b41e9fced9a75a) #6 0x7f8d4107b71b in wl_display_dispatch_queue_pending (/lib/x86_64-linux-gnu/libwayland-client.so.0+0x771b) (BuildId: 4c3fb152910da1137601f54df6b41e9fced9a75a) #7 0x7f8d4bda8e3d in EventSource::$_3::__invoke(_GSource*, int (*)(void*), void*) WPEDisplayWayland.cpp #8 0x7f8d41160584 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d584) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #9 0x7f8d411bf976 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc976) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #10 0x7f8d4115fa22 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ca22) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #11 0x7f8d4408889c in g_application_run (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xe789c) (BuildId: ebdb30973c66c71f7f9fc82981b95f418ea1dfb1) #12 0x5634dbcfae79 in main main.cpp #13 0x7f8d40aa61c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #14 0x7f8d40aa628a in __libc_start_main csu/../csu/libc-start.c:360:3 #15 0x5634dbc2abc4 in _start (/sdk/webkit/WebKitBuild/WPE/Release/bin/MiniBrowser+0x15cbc4) (BuildId: deda87d6e604643f) 0x5110000f4240 is located 0 bytes after 256-byte region [0x5110000f4140,0x5110000f4240) allocated by thread T0 here: #0 0x5634dbcc3e0d in calloc (/sdk/webkit/WebKitBuild/WPE/Release/bin/MiniBrowser+0x1f5e0d) (BuildId: deda87d6e604643f) #1 0x7f8d41079ddd (/lib/x86_64-linux-gnu/libwayland-client.so.0+0x5ddd) (BuildId: 4c3fb152910da1137601f54df6b41e9fced9a75a) #2 0x7f8d4107c2f5 in wl_display_read_events (/lib/x86_64-linux-gnu/libwayland-client.so.0+0x82f5) (BuildId: 4c3fb152910da1137601f54df6b41e9fced9a75a) #3 0x7f8d4bda8c96 in EventSource::$_2::__invoke(_GSource*) WPEDisplayWayland.cpp #4 0x7f8d41161206 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e206) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #5 0x7f8d411bf886 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc886) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #6 0x7f8d4115fa22 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ca22) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #7 0x7f8d4408889c in g_application_run (/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xe789c) (BuildId: ebdb30973c66c71f7f9fc82981b95f418ea1dfb1) #8 0x5634dbcfae79 in main main.cpp #9 0x7f8d40aa61c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7f8d40aa628a in __libc_start_main csu/../csu/libc-start.c:360:3 #11 0x5634dbc2abc4 in _start (/sdk/webkit/WebKitBuild/WPE/Release/bin/MiniBrowser+0x15cbc4) (BuildId: deda87d6e604643f) SUMMARY: AddressSanitizer: heap-buffer-overflow WPEToplevelWayland.cpp in $_7::__invoke(void*, xdg_toplevel*, int, int, wl_array*) Shadow bytes around the buggy address: 0x5110000f3f80: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x5110000f4000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x5110000f4080: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x5110000f4100: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x5110000f4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x5110000f4200: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x5110000f4280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5110000f4300: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa 0x5110000f4380: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x5110000f4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5110000f4480: 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==959007==ABORTING
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2026-03-12 02:45:16 PDT
Pull request: https://github.com/WebKit/WebKit/pull/60441
EWS
Comment 2 2026-03-12 04:56:59 PDT
Committed 309135@main (d22d04217d84): <https://commits.webkit.org/309135@main> Reviewed commits have been landed. Closing PR #60441 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.