RESOLVED FIXED Bug 159414
CVE-2016-4762 Uninitialized variable in DIBPixelData can cause a dangerous memory write 
https://bugs.webkit.org/show_bug.cgi?id=159414
Summary Uninitialized variable in DIBPixelData can cause a dangerous memory write
Zheng Huang
Reported 2016-07-05 01:36:35 PDT
Created attachment 282757 [details] poc and analysis and debug code void DIBPixelData::setRGBABitmapAlpha(HDC hdc, const IntRect& dstRect, unsigned char level) { HBITMAP bitmap = static_cast<HBITMAP>(GetCurrentObject(hdc, OBJ_BITMAP)); // hdc=NULL, so bitmap=NULL DIBPixelData pixelData(bitmap); // when bitmap=NULL, initialize pixelData failed ASSERT(pixelData.bitsPerPixel() == 32); IntRect drawRect(dstRect); XFORM trans; GetWorldTransform(hdc, &trans); IntSize transformedPosition(trans.eDx, trans.eDy); drawRect.move(transformedPosition); int pixelDataWidth = pixelData.size().width(); // read from initialize failed pixelData object int pixelDataHeight = pixelData.size().height(); // read from initialize failed pixelData object IntRect bitmapRect(0, 0, pixelDataWidth, pixelDataHeight); drawRect.intersect(bitmapRect); if (drawRect.isEmpty()) return; RGBQUAD* bytes = reinterpret_cast<RGBQUAD*>(pixelData.buffer()); bytes += drawRect.y() * pixelDataWidth; //bytes tainted by pixelDataWidth size_t width = drawRect.width(); size_t height = drawRect.height(); int x = drawRect.x(); for (size_t i = 0; i < height; i++) { RGBQUAD* p = bytes + x; //p tainted by bytes for (size_t j = 0; j < width; j++) { p->rgbReserved = level; -------------------- crash here, write to uninitialized memory p++; } bytes += pixelDataWidth; } }
Attachments
poc and analysis and debug code (278.18 KB, application/octet-stream)
2016-07-05 01:36 PDT, Zheng Huang 		no flags
Details
Patch (5.94 KB, patch)
2016-07-14 10:01 PDT, Per Arne Vollan 		bfulgham: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-07-13 09:15:54 PDT
<rdar://problem/27324600>
Per Arne Vollan
Comment 2 2016-07-14 10:01:59 PDT
Created attachment 283653 [details] Patch
Brent Fulgham
Comment 3 2016-07-14 10:07:26 PDT
Comment on attachment 283653 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283653&action=review r+, but please revise the title a little to read more clearly. Also, can you make some clarifying statements about what constitutes a passing or failing test? Do we crash or something in the original "unfixed" case? > Source/WebCore/ChangeLog:3 > + DIBPixelData use uninitialized variable cause dangerous memory write Can we rephrase this: Uninitialized variable in DIBPixelData can cause a dangerous memory write > Tools/TestWebKitAPI/Tests/WebCore/win/DIBPixelData.cpp:38 > + DIBPixelData::setRGBABitmapAlpha(nullptr, IntRect(), 0); How do we know if this test passes? Do we get a crash before your fix? Or if we run with DebugMalloc do we get an error in the original code case?
Per Arne Vollan
Comment 4 2016-07-14 13:44:27 PDT
(In reply to comment #3) > Comment on attachment 283653 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283653&action=review > > r+, but please revise the title a little to read more clearly. Also, can you > make some clarifying statements about what constitutes a passing or failing > test? Do we crash or something in the original "unfixed" case? > > > Source/WebCore/ChangeLog:3 > > + DIBPixelData use uninitialized variable cause dangerous memory write > > Can we rephrase this: > > Uninitialized variable in DIBPixelData can cause a dangerous memory write > > > Tools/TestWebKitAPI/Tests/WebCore/win/DIBPixelData.cpp:38 > > + DIBPixelData::setRGBABitmapAlpha(nullptr, IntRect(), 0); > > How do we know if this test passes? Do we get a crash before your fix? Or if > we run with DebugMalloc do we get an error in the original code case? Yes, the test would crash before the fix. Thanks for reviewing! I will update the patch accordingly before landing :)
Per Arne Vollan
Comment 5 2016-07-15 05:45:51 PDT
Committed r203274: <https://trac.webkit.org/changeset/203274>
Zheng Huang
Comment 6 2016-07-18 19:33:49 PDT
Hi, I want to ask about this bug, is that I can get a CVE for this bug and get an acknowledgment by apple?
Brent Fulgham
Comment 7 2016-07-18 22:48:25 PDT
(In reply to comment #6) > Hi, I want to ask about this bug, is that I can get a CVE for this bug and > get an acknowledgment by apple? I'll talk to Product Security and have someone contact you directly. Thank you for filing the bug!
Zheng Huang
Comment 8 2016-08-08 01:25:20 PDT
Hi,Brent Fulgham,nobody contact me for 20 days for this bug, is it normal?
Note You need to log in before you can comment on or make changes to this bug.