WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
276711
[GStreamer][WebRTC] heap-buffer-overflow in EndPoint
https://bugs.webkit.org/show_bug.cgi?id=276711
Summary
[GStreamer][WebRTC] heap-buffer-overflow in EndPoint
Philippe Normand
Reported
2024-07-17 04:48:49 PDT
==1154655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5250008ec845 at pc 0x00000027aeff bp 0x7fff11793cb0 sp 0x7fff11793478 READ of size 7986 at 0x5250008ec845 thread T0 #0 0x27aefe in strlen (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x27aefe) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1) #1 0x7f9c4f3e0f87 in gst_sdp_message_new_from_text /_build/../gstreamer/subprojects/gst-plugins-base/gst-libs/gst/sdp/gstsdpmessage.c:259:60 #2 0x7f9c73ebc10e in WebCore::GStreamerMediaEndpoint::setDescription(WebCore::RTCSessionDescription const*, WebCore::GStreamerMediaEndpoint::DescriptionType, WTF::Function<void (GstSDPMessage const&)>&&, WTF::Function<void (GstSDPMessage const&)>&&, WTF::Function<void (_GError const*)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:589:13 #3 0x7f9c73ebb43a in WebCore::GStreamerMediaEndpoint::doSetLocalDescription(WebCore::RTCSessionDescription const*) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:441:5 #4 0x7f9c73ed41bc in WebCore::GStreamerPeerConnectionBackend::doSetLocalDescription(WebCore::RTCSessionDescription const*) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerPeerConnectionBackend.cpp:196:17 #5 0x7f9c73d9707c in WebCore::PeerConnectionBackend::setLocalDescription(WebCore::RTCSessionDescription const*, WTF::Function<void (WebCore::ExceptionOr<void>&&)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/PeerConnectionBackend.cpp:192:5 #6 0x7f9c73e23817 in WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::$_0::operator()(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:299:20 #7 0x7f9c73e23490 in WTF::Detail::CallableWrapper<WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::$_0, void, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&>::call(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:53:39 #8 0x7f9c6f94ec23 in WTF::Function<void (WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>::operator()(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:82:35 #9 0x7f9c73dfb2c5 in WebCore::RTCPeerConnection::chainOperation(WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&, WTF::Function<void (WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:970:5 #10 0x7f9c73dfbc6b in WebCore::RTCPeerConnection::setLocalDescription(std::optional<WebCore::RTCLocalSessionDescriptionInit>&&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp:286:5 #11 0x7f9c722c4e35 in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()::operator()() const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1019:187 #12 0x7f9c722c4b40 in JSC::JSValue WebCore::toJS<WebCore::IDLPromise<WebCore::IDLUndefined>, WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::'lambda'()&&) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMConvertBase.h:205:13 #13 0x7f9c722c42ac in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1019:55 #14 0x7f9c722c6006 in long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&) const /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:54:20 #15 0x7f9c722c46c5 in JSC::JSValue WebCore::callPromiseFunction<long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&)) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h:382:5 #16 0x7f9c722c3ed0 in long WebCore::IDLOperationReturningPromise<WebCore::JSRTCPeerConnection>::call<&WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescriptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRTCPeerConnection*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise>, WTF::DefaultRefDerefTraits<WebCore::DeferredPromise>>&&), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /var/home/phil/WebKit/Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:41:37 #17 0x7f9c722c0c83 in WebCore::jsRTCPeerConnectionPrototypeFunction_setLocalDescription(JSC::JSGlobalObject*, JSC::CallFrame*) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WebCore/DerivedSources/JSRTCPeerConnection.cpp:1024:12 #18 0x7f9bf240c037 (<unknown module>) 0x5250008ec845 is located 0 bytes after 8005-byte region [0x5250008ea900,0x5250008ec845) allocated by thread T0 here: #0 0x2fe4c3 in malloc (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x2fe4c3) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1) #1 0x7f9c5b89360b in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /var/home/phil/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:118:20 #2 0x7f9c5b894117 in pas_debug_heap_malloc /var/home/phil/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:223:38 #3 0x7f9c5babe2dc in pas_debug_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/pas_debug_heap.h:106:22 #4 0x7f9c5bab3ef2 in pas_try_allocate_intrinsic_impl_casual_case(__pas_heap*, unsigned long, unsigned long, pas_allocation_mode, pas_intrinsic_heap_support*, pas_heap_config, pas_allocation_result (*)(pas_local_allocator*, unsigned long, unsigned long, pas_allocation_mode), pas_allocation_result (*)(__pas_heap_ref*, unsigned long, unsigned long, pas_allocation_mode), pas_intrinsic_heap_designation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/pas_try_allocate_intrinsic.h:105:16 #5 0x7f9c5b9f91d2 in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long, pas_allocation_mode) /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/bmalloc_heap_inlines.h:69 #6 0x7f9c5b9f42af in bmalloc_allocate_casual /var/home/phil/WebKit/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64:19 #7 0x7f9c5af083cd in bmalloc_allocate_inline(unsigned long, pas_allocation_mode) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120:12 #8 0x7f9c5af04293 in bmalloc::api::malloc(unsigned long, bmalloc::CompactAllocationMode, bmalloc::HeapKind) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/bmalloc/Headers/bmalloc/bmalloc.h:75:16 #9 0x7f9c5af04293 in WTF::fastCompactMalloc(unsigned long) /var/home/phil/WebKit/Source/WTF/wtf/FastMalloc.cpp:709:20 #10 0x7f9c57131b94 in WTF::FastCompactMalloc::malloc(unsigned long) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/FastMalloc.h:278:47 #11 0x7f9c5b7ec7a9 in WTF::Ref<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>> WTF::StringImpl::createUninitializedInternalNonEmpty<unsigned char>(unsigned long, unsigned char*&) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:190:51 #12 0x7f9c5b7ee4e4 in WTF::Ref<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>> WTF::StringImpl::createInternal<unsigned char>(std::span<unsigned char const, 18446744073709551615ul>) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:262:19 #13 0x7f9c5b7ee391 in WTF::StringImpl::create(std::span<unsigned char const, 18446744073709551615ul>) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.cpp:274:12 #14 0x7f9c5b83d92c in WTF::StringImpl::createFromCString(char const*) /var/home/phil/WebKit/Source/WTF/wtf/text/StringImpl.h:256:86 #15 0x7f9c5b83d844 in WTF::String::String(char const*) /var/home/phil/WebKit/Source/WTF/wtf/text/WTFString.cpp:61:46 #16 0x7f9c6d79180f in WTF::String::fromLatin1(char const*) /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/text/WTFString.h:65:70 #17 0x7f9c73f2913b in WebCore::GStreamerMediaEndpoint::createSessionDescriptionSucceeded(std::unique_ptr<_GstWebRTCSessionDescription, WTF::GPtrDeleter<_GstWebRTCSessionDescription>>&&)::$_0::operator()() const /var/home/phil/WebKit/Source/WebCore/Modules/mediastream/gstreamer/GStreamerMediaEndpoint.cpp:1540:26 #18 0x7f9c73f28f68 in WTF::Detail::CallableWrapper<WebCore::GStreamerMediaEndpoint::createSessionDescriptionSucceeded(std::unique_ptr<_GstWebRTCSessionDescription, WTF::GPtrDeleter<_GstWebRTCSessionDescription>>&&)::$_0, void>::call() /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:53:39 #19 0x7f9c57e5e513 in WTF::Function<void ()>::operator()() const /var/home/phil/WebKit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:82:35 #20 0x7f9c5b150c39 in WTF::RunLoop::performWork() /var/home/phil/WebKit/Source/WTF/wtf/RunLoop.cpp:147:9 #21 0x7f9c5b86acb8 in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42 #22 0x7f9c5b86ac3e in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43 #23 0x7f9c5b86ab2d in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #24 0x7f9c5b867abe in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #25 0x7f9c50443e8b (/lib64/libglib-2.0.so.0+0x5ce8b) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649) #26 0x7f9c504a5c97 (/lib64/libglib-2.0.so.0+0xbec97) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649) #27 0x7f9c50449f36 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x62f36) (BuildId: 36b60dbd02e796145a982d0151ce37202ec05649) #28 0x7f9c5b868c58 in WTF::RunLoop::run() /var/home/phil/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #29 0x7f9c6f8d15a1 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /var/home/phil/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72:9 #30 0x7f9c6f8c3e74 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /var/home/phil/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98:27 SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/home/phil/WebKit/WebKitBuild/GTK/Debug/bin/WebKitWebProcess+0x27aefe) (BuildId: 6365101d83a3420863f769715d3fbbca4b59a4b1) in strlen Shadow bytes around the buggy address: 0x5250008ec580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5250008ec600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5250008ec680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5250008ec700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x5250008ec780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x5250008ec800: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa 0x5250008ec880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5250008ec900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5250008ec980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5250008eca00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x5250008eca80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1154655==ABORTING
Attachments
Add attachment
proposed patch, testcase, etc.
Philippe Normand
Comment 1
2024-07-17 04:54:55 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/30902
EWS
Comment 2
2024-07-18 04:56:39 PDT
Committed
281084@main
(431ee8915736): <
https://commits.webkit.org/281084@main
> Reviewed commits have been landed. Closing PR #30902 and removing active labels.
Radar WebKit Bug Importer
Comment 3
2024-07-18 04:57:14 PDT
<
rdar://problem/131998705
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug