WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
301884
[WPE][GTK] Out of bounds reads caused by using span8 as nul-terminated string
https://bugs.webkit.org/show_bug.cgi?id=301884
Summary
[WPE][GTK] Out of bounds reads caused by using span8 as nul-terminated string
Michael Catanzaro
Reported
2025-11-03 13:19:35 PST
I'm using the non-security product for this bug report simply because this bug does not affect Apple, and I don't see how to toggle visibility of bug reports anymore. WebKitGTK has an out of bounds read that occurs every time any web process is started. This indicates nobody has run the web process with address sanitizer or valgrind since the code was introduced. I'm testing
302305@main
: ==2==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c16c260aba6 at pc 0x7fe6d4c4b2cf bp 0x7fffdfa57150 sp 0x7fffdfa56920 READ of size 3 at 0x7c16c260aba6 thread T0 #0 0x7fe6d4c4b2ce in strlen.part.0 (/usr/lib64/libasan.so.8+0x4b2ce) (BuildId: 9022d3b7699b25ef06c64e2c5f93160772bfde42) #1 0x7fe6cee4bdcc in lang_find_or_insert(char const*) (/lib64/libharfbuzz.so.0+0x30dcc) (BuildId: 039e0049079ffdfd7a8ecfe1ecbcf88ca6a30848) #2 0x7fe6cee4bf54 in hb_language_from_string (/lib64/libharfbuzz.so.0+0x30f54) (BuildId: 039e0049079ffdfd7a8ecfe1ecbcf88ca6a30848) #3 0x7fe6d194882f in WebCore::ComplexTextController::collectComplexTextRunsForCharacters(std::span<char16_t const, 18446744073709551615ul>, unsigned int, WebCore::Font const*) Source/WebCore/platform/graphics/skia/ComplexTextControllerSkia.cpp:220 #4 0x7fe6d17b4207 in WebCore::ComplexTextController::collectComplexTextRuns() Source/WebCore/platform/graphics/ComplexTextController.cpp #5 0x7fe6d17b34c0 in WebCore::ComplexTextController::ComplexTextController(WebCore::FontCascade const&, WebCore::TextRun const&, bool, WTF::WeakHashSet<WebCore::Font const, WTF::SingleThreadWeakPtrImpl, (WTF::EnableWeakPtrThreadingAssertions)1>*, bool) Source/WebCore/platform/graphics/ComplexTextController.cpp:131 #6 0x7fe6d18166b7 in WebCore::FontCascade::width(WebCore::FontCascade::CodePath, WebCore::TextRun const&, WTF::WeakHashSet<WebCore::Font const, WTF::SingleThreadWeakPtrImpl, (WTF::EnableWeakPtrThreadingAssertions)1>*, WebCore::GlyphOverflow*) const Source/WebCore/platform/graphics/FontCascade.cpp:315 #7 0x7fe6d1816ee0 in WebCore::FontCascade::widthForSimpleTextSlow(WTF::StringView, WebCore::TextDirection, float*) const Source/WebCore/platform/graphics/FontCascade.cpp:342 #8 0x7fe6d13dbd3b in WebCore::FontCascade::widthForTextUsingSimplifiedMeasuring(WTF::StringView, WebCore::TextDirection) const WebCore/PrivateHeaders/WebCore/FontCascade.h:481 #9 0x7fe6d13dbd3b in WebCore::Layout::TextUtil::width(WebCore::Layout::InlineTextBox const&, WebCore::FontCascade const&, unsigned int, unsigned int, float, WebCore::Layout::TextUtil::UseTrailingWhitespaceMeasuringOptimization, WebCore::TextSpacing::SpacingState) Source/WebCore/layout/formattingContexts/inline/text/TextUtil.cpp:83 #10 0x7fe6d13b0691 in WebCore::Layout::InlineItemsBuilder::computeContentAttributesAndInlineTextItemWidths(WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::Layout::InlineItemPosition, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp:797 #11 0x7fe6d13ade8a in WebCore::Layout::InlineItemsBuilder::build(WebCore::Layout::InlineItemPosition) Source/WebCore/layout/formattingContexts/inline/InlineItemsBuilder.cpp:102 #12 0x7fe6d13abe3e in WebCore::Layout::InlineFormattingContext::rebuildInlineItemListIfNeeded(WebCore::Layout::InlineDamage*) Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:583 #13 0x7fe6d13ace11 in WebCore::Layout::InlineFormattingContext::minimumMaximumContentSize(WebCore::Layout::InlineDamage*) Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:193 #14 0x7fe6d13fdbb6 in WebCore::LayoutIntegration::LineLayout::computeIntrinsicWidthConstraints() Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:422 #15 0x7fe6d1ae8672 in WebCore::RenderBlockFlow::tryComputePreferredWidthsUsingInlinePath(WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:5014 #16 0x7fe6d1ad3f31 in WebCore::RenderBlockFlow::computeInlinePreferredLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlockFlow.cpp:4606 #17 0x7fe6d1ad3d80 in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlockFlow.cpp:318 #18 0x7fe6d1acd9b1 in WebCore::RenderBlock::computePreferredLogicalWidths() Source/WebCore/rendering/RenderBlock.cpp:2253 #19 0x7fe6d1afa8ba in WebCore::RenderBox::minPreferredLogicalWidth() const Source/WebCore/rendering/RenderBox.cpp:1326 #20 0x7fe6d1acde4e in WebCore::RenderBlock::computeChildIntrinsicLogicalWidths(WebCore::RenderBox&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlock.cpp:2363 #21 0x7fe6d1acdabb in WebCore::RenderBlock::computeChildPreferredLogicalWidths(WebCore::RenderBox&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlock.cpp:2399 #22 0x7fe6d1acd4e3 in WebCore::RenderBlock::computeBlockPreferredLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlock.cpp:2316 #23 0x7fe6d1ad3d48 in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBlockFlow.cpp:320 #24 0x7fe6d1acd9b1 in WebCore::RenderBlock::computePreferredLogicalWidths() Source/WebCore/rendering/RenderBlock.cpp:2253 #25 0x7fe6d1afa8ea in WebCore::RenderBox::maxPreferredLogicalWidth() const Source/WebCore/rendering/RenderBox.cpp:1335 #26 0x7fe6d1a85415 in WebCore::GridTrackSizingAlgorithmStrategy::maxContentContributionForGridItem(WebCore::RenderBox&, WebCore::GridLayoutState&) const Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:1148 #27 0x7fe6d1a88c5b in WebCore::IndefiniteSizeStrategy::accumulateFlexFraction(double&, WebCore::GridIterator&, WebCore::Style::GridTrackSizingDirection, WTF::WeakHashSet<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl, (WTF::EnableWeakPtrThreadingAssertions)1>&, WebCore::GridLayoutState&) const Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:1450 #28 0x7fe6d1a89129 in WebCore::IndefiniteSizeStrategy::findUsedFlexFraction(WTF::Vector<unsigned int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::Style::GridTrackSizingDirection, std::optional<WebCore::LayoutUnit>, WebCore::GridLayoutState&) const Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:1478 #29 0x7fe6d1a8bf56 in WebCore::GridTrackSizingAlgorithm::stretchFlexibleTracks(std::optional<WebCore::LayoutUnit>, WebCore::GridLayoutState&) Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:1927 #30 0x7fe6d1a8d10a in WebCore::GridTrackSizingAlgorithm::run(WebCore::Style::GridTrackSizingDirection, unsigned int, WebCore::SizingOperation, std::optional<WebCore::LayoutUnit>, WebCore::GridLayoutState&) Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp:2164 #31 0x7fe6d1b5d372 in WebCore::RenderGrid::computeTrackSizesForIndefiniteSize(WebCore::GridTrackSizingAlgorithm&, WebCore::Style::GridTrackSizingDirection, WebCore::GridLayoutState&, WebCore::LayoutUnit*, WebCore::LayoutUnit*) const Source/WebCore/rendering/RenderGrid.cpp:843 #32 0x7fe6d1b5e74c in WebCore::RenderGrid::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderGrid.cpp:811 #33 0x7fe6d1b04f6b in void WebCore::RenderBox::computeIntrinsicKeywordLogicalWidths<WebCore::Constant<(WebCore::CSSValueID)496> >(WebCore::Constant<(WebCore::CSSValueID)496>, WebCore::LayoutUnit, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const Source/WebCore/rendering/RenderBox.cpp:2867 #34 0x7fe6d1b04f6b in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Constant<(WebCore::CSSValueID)496>, WebCore::LayoutUnit, WebCore::LayoutUnit) const Source/WebCore/rendering/RenderBox.cpp:2889 #35 0x7fe6d1b04f6b in WebCore::LayoutUnit WebCore::RenderBox::computeIntrinsicLogicalWidthUsingGeneric<WebCore::Style::MinimumSize>(WebCore::Style::MinimumSize const&, WebCore::LayoutUnit, WebCore::LayoutUnit) const Source/WebCore/rendering/RenderBox.cpp #36 0x7fe6d1b46403 in std::optional<WebCore::LayoutUnit> WebCore::RenderFlexibleBox::computeMainAxisExtentForFlexItem<WebCore::Style::MinimumSize>(WebCore::RenderBox&, WebCore::Style::MinimumSize const&) Source/WebCore/rendering/RenderFlexibleBox.cpp:802 #37 0x7fe6d1b45b22 in WebCore::RenderFlexibleBox::computeFlexItemMinMaxSizes(WebCore::RenderBox&) Source/WebCore/rendering/RenderFlexibleBox.cpp:1744 #38 0x7fe6d1b42cf4 in WebCore::RenderFlexibleBox::constructFlexLayoutItem(WebCore::RenderBox&, WebCore::RelayoutChildren) Source/WebCore/rendering/RenderFlexibleBox.cpp:1890 #39 0x7fe6d1b3d940 in WebCore::RenderFlexibleBox::performFlexLayout(WebCore::RelayoutChildren) Source/WebCore/rendering/RenderFlexibleBox.cpp:1401 #40 0x7fe6d1b3d234 in WebCore::RenderFlexibleBox::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) Source/WebCore/rendering/RenderFlexibleBox.cpp:467 #41 0x7fe6d1ac2b9c in WebCore::RenderBlock::layout() Source/WebCore/rendering/RenderBlock.cpp:510 #42 0x7fe6d1ada0e9 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:1088 #43 0x7fe6d1ad9904 in WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:903 #44 0x7fe6d1ad849f in WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:802 #45 0x7fe6d1ad6f63 in WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) Source/WebCore/rendering/RenderBlockFlow.cpp:558 #46 0x7fe6d1ac2b9c in WebCore::RenderBlock::layout() Source/WebCore/rendering/RenderBlock.cpp:510 #47 0x7fe6d1ada0e9 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:1088 #48 0x7fe6d1ad9904 in WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:903 #49 0x7fe6d1ad849f in WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:802 #50 0x7fe6d1ad6f63 in WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) Source/WebCore/rendering/RenderBlockFlow.cpp:558 #51 0x7fe6d1ac2b9c in WebCore::RenderBlock::layout() Source/WebCore/rendering/RenderBlock.cpp:510 #52 0x7fe6d1ada0e9 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:1088 #53 0x7fe6d1ad9904 in WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:903 #54 0x7fe6d1ad849f in WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) Source/WebCore/rendering/RenderBlockFlow.cpp:802 #55 0x7fe6d1ad6f63 in WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) Source/WebCore/rendering/RenderBlockFlow.cpp:558 #56 0x7fe6d1ac2b9c in WebCore::RenderBlock::layout() Source/WebCore/rendering/RenderBlock.cpp:510 #57 0x7fe6d1c59307 in WebCore::RenderView::layout() Source/WebCore/rendering/RenderView.cpp:213 #58 0x7fe6d15b0880 in WebCore::LocalFrameViewLayoutContext::performLayout(bool) Source/WebCore/page/LocalFrameViewLayoutContext.cpp:258 #59 0x7fe6d1590bb3 in WebCore::LocalFrameViewLayoutContext::layout(bool) Source/WebCore/page/LocalFrameViewLayoutContext.cpp:158 #60 0x7fe6d0e24a7f in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*) Source/WebCore/dom/Document.cpp:3150 #61 0x7fe6d15abd3d in WebCore::LocalFrameView::updateLayoutAndStyleIfNeededRecursive(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>) Source/WebCore/page/LocalFrameView.cpp:5727 #62 0x7fe6d15dfa2b in WebCore::Page::layoutIfNeeded(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>) Source/WebCore/page/Page.cpp:2121 #63 0x7fe6d15dfedd in WebCore::Page::updateRendering() Source/WebCore/page/Page.cpp:2213 #64 0x7fe6cfadba89 in WebKit::WebPage::updateRendering() Source/WebKit/WebProcess/WebPage/WebPage.cpp:5008 #65 0x7fe6cfb1068e in WebKit::LayerTreeHost::flushLayers() Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:186 #66 0x7fe6cfb1190f in WebKit::LayerTreeHost::didComposite(unsigned int) Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:491 #67 0x7fe6cfb155e0 in WTF::RunLoop::Timer::Timer<WebKit::ThreadedCompositor>(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral, WebKit::ThreadedCompositor*, void (WebKit::ThreadedCompositor::*)()) requires WTF::HasRefPtrMemberFunctions<WebKit::ThreadedCompositor>::value::{lambda()#1}::operator()() const WTF/Headers/wtf/RunLoop.h:210 #68 0x7fe6cfb155e0 in WTF::Detail::CallableWrapper<WTF::RunLoop::Timer::Timer<WebKit::ThreadedCompositor>(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral, WebKit::ThreadedCompositor*, void (WebKit::ThreadedCompositor::*)()) requires WTF::HasRefPtrMemberFunctions<WebKit::ThreadedCompositor>::value::{lambda()#1}, void>::call() WTF/Headers/wtf/Function.h:59 #69 0x7fe6cd0a51cd in WTF::RunLoop::TimerBase::TimerBase(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral)::$_0::operator()(void*) const /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:253 #70 0x7fe6cd0a51cd in WTF::RunLoop::TimerBase::TimerBase(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral)::$_0::__invoke(void*) /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:245 #71 0x7fe6cd0a325c in WTF::RunLoop::$_1::operator()(_GSource*, int (*)(void*), void*) const /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #72 0x7fe6cd0a325c in WTF::RunLoop::$_1::__invoke(_GSource*, int (*)(void*), void*) /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:48 #73 0x7fe6cd7d1772 in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3565 #74 0x7fe6cd7d2ba2 in g_main_context_dispatch_unlocked ../../../../Projects/glib/glib/gmain.c:4425 #75 0x7fe6cd7d2b6c in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:4413 #76 0x7fe6cd0a3947 in WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:117 #77 0x7fe6cd0a3da9 in WTF::RunLoop::runGLibMainLoop() /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:126 #78 0x7fe6cd0a3da9 in WTF::RunLoop::run() /home/mcatanzaro/Projects/.gnome-builder/projects/WebKit/builds/default-jhbuild-x86_64-main/./Source/WTF/wtf/glib/RunLoopGLib.cpp:139 #79 0x7fe6cfb22752 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) Source/WebKit/Shared/AuxiliaryProcessMain.h:77 #80 0x7fe6cfb22752 in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) Source/WebKit/Shared/AuxiliaryProcessMain.h:103 #81 0x7fe6c8c0f5b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #82 0x7fe6c8c0f667 in __libc_start_main_impl ../csu/libc-start.c:360 #83 0x0000004003a4 in _start (/home/mcatanzaro/Projects/GNOME/install/libexec/webkitgtk-6.0/WebKitWebProcess+0x4003a4) (BuildId: f7f3cdb506bf686bdf2465001fd92a86fc1af0fe) 0x7c16c260aba6 is located 0 bytes after 22-byte region [0x7c16c260ab90,0x7c16c260aba6) Problem is we use span8().data() and treat it as a nul-terminated string, but it's not nul-terminated. We should use utf8().data() instead.
Attachments
Add attachment
proposed patch, testcase, etc.
Michael Catanzaro
Comment 1
2025-11-03 13:26:08 PST
Pull request:
https://github.com/WebKit/WebKit/pull/53355
Michael Catanzaro
Comment 2
2025-11-03 14:10:35 PST
I did a quick audit of places using `span8().data()` without a size. WebKitError is the only other place that appears to be buggy. Thread::normalizeThreadName looks *really* sketchy, but the function is designed to receive a const char*, modify it in place, and return it, and the Windows port relies on this behavior, so it really has to use span8() to avoid introducing a bug. In that case, even though it looks like the return value is not nul-terminated, it actually should be since the return value is a pointer into the original input string. I think....
EWS
Comment 3
2025-11-04 09:25:28 PST
Committed
302547@main
(26918e6cd63c): <
https://commits.webkit.org/302547@main
> Reviewed commits have been landed. Closing PR #53355 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug