use-after-free when opening video
epiphany
compiled from 9a58a901.
Configured:
CFLAGS="-ggdb3" meson setup build -D optimization=g -D debug=true -D prefix=/usr -D b_sanitize=address,undefined -D developer_mode=true
Started:
meson devenv -C build
LD_PRELOAD=/usr/lib/libasan.so ./src/epiphany "https://download.blender.org/peach/bigbuckbunny_movies/BigBuckBunny_320x180.mp4"
When the the page loads, the following user-after-free is triggered:
==2==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000b3300 at pc 0x7f01af23062b bp 0x7fffbf1bc050 sp 0x7fffbf1bb7f8
READ of size 4 at 0x6030000b3300 thread T0
#0 0x7f01af23062a in __interceptor_strlen /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#1 0x7f01aabee0b8 in g_strdup (/usr/lib/libglib-2.0.so.0+0x730b8)
#2 0x7f01aaceaca5 (/usr/lib/libgobject-2.0.so.0+0x32ca5)
#3 0x7f01aacdbabb in g_object_set_valist (/usr/lib/libgobject-2.0.so.0+0x23abb)
#4 0x7f01aacdbda4 in g_object_set (/usr/lib/libgobject-2.0.so.0+0x23da4)
#5 0x7f01a6c3ed49 (/usr/lib/libffi.so.8+0x6d49)
#6 0x7f01a6c3e266 (/usr/lib/libffi.so.8+0x6266)
#7 0x7f01aacd0fcd in g_cclosure_marshal_generic (/usr/lib/libgobject-2.0.so.0+0x18fcd)
#8 0x7f01aaccaebe in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x12ebe)
#9 0x7f01aace7187 (/usr/lib/libgobject-2.0.so.0+0x2f187)
#10 0x7f01aace8ba6 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x30ba6)
#11 0x7f01aace8e03 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x30e03)
#12 0x7f01a7d1a01b (/usr/lib/libgstreamer-1.0.so.0+0x4601b)
#13 0x7f01a7d159ca in gst_bin_add (/usr/lib/libgstreamer-1.0.so.0+0x419ca)
#14 0x7f014a1e89ca (/usr/lib/gstreamer-1.0/libgstautodetect.so+0x39ca)
#15 0x7f01a7d40c48 in gst_element_change_state (/usr/lib/libgstreamer-1.0.so.0+0x6cc48)
#16 0x7f01a7d4137f (/usr/lib/libgstreamer-1.0.so.0+0x6d37f)
#17 0x7f01a7d18ed4 (/usr/lib/libgstreamer-1.0.so.0+0x44ed4)
#18 0x7f01a7d40c48 in gst_element_change_state (/usr/lib/libgstreamer-1.0.so.0+0x6cc48)
#19 0x7f01a7d4137f (/usr/lib/libgstreamer-1.0.so.0+0x6d37f)
#20 0x7f0145bfe032 (/usr/lib/gstreamer-1.0/libgstplayback.so+0x46032)
#21 0x7f0145c27703 (/usr/lib/gstreamer-1.0/libgstplayback.so+0x6f703)
#22 0x7f0145bfab4d (/usr/lib/gstreamer-1.0/libgstplayback.so+0x42b4d)
#23 0x7f01a7d40c48 in gst_element_change_state (/usr/lib/libgstreamer-1.0.so.0+0x6cc48)
#24 0x7f01a7d40c8f in gst_element_change_state (/usr/lib/libgstreamer-1.0.so.0+0x6cc8f)
#25 0x7f01a7d4137f (/usr/lib/libgstreamer-1.0.so.0+0x6d37f)
#26 0x7f01ae0c8f8e (/usr/lib/libwebkit2gtk-4.0.so.37+0x2c32f8e)
#27 0x7f01ae0ccbb5 (/usr/lib/libwebkit2gtk-4.0.so.37+0x2c36bb5)
#28 0x7f01ae0d7f18 (/usr/lib/libwebkit2gtk-4.0.so.37+0x2c41f18)
#29 0x7f01ad932325 (/usr/lib/libwebkit2gtk-4.0.so.37+0x249c325)
#30 0x7f01ad932a46 (/usr/lib/libwebkit2gtk-4.0.so.37+0x249ca46)
#31 0x7f01ad31fcfb (/usr/lib/libwebkit2gtk-4.0.so.37+0x1e89cfb)
#32 0x7f01ad3218c7 (/usr/lib/libwebkit2gtk-4.0.so.37+0x1e8b8c7)
#33 0x7f01ad0d3211 (/usr/lib/libwebkit2gtk-4.0.so.37+0x1c3d211)
#34 0x7f01ad171e01 (/usr/lib/libwebkit2gtk-4.0.so.37+0x1cdbe01)
#35 0x7f01ad879469 (/usr/lib/libwebkit2gtk-4.0.so.37+0x23e3469)
#36 0x7f01aa7b7224 (/usr/lib/libjavascriptcoregtk-4.0.so.18+0x17d1224)
#37 0x7f01aa7b74c6 (/usr/lib/libjavascriptcoregtk-4.0.so.18+0x17d14c6)
#38 0x7f01aabcfee2 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x54ee2)
#39 0x7f01aac260f8 (/usr/lib/libglib-2.0.so.0+0xab0f8)
#40 0x7f01aabcf432 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x54432)
#41 0x7f01aa7b7621 in WTF::RunLoop::run() (/usr/lib/libjavascriptcoregtk-4.0.so.18+0x17d1621)
#42 0x7f01ac2c1ff4 in WebKit::WebProcessMain(int, char**) (/usr/lib/libwebkit2gtk-4.0.so.37+0xe2bff4)
#43 0x7f01ab2b930f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#44 0x7f01ab2b93c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#45 0x55c9ff42a684 (/usr/lib/webkit2gtk-4.0/WebKitWebProcess+0x684)
0x6030000b3300 is located 16 bytes inside of 20-byte region [0x6030000b32f0,0x6030000b3304)
freed by thread T0 here:
#0 0x7f01af2a9a79 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f01ad8ab365 (/usr/lib/libwebkit2gtk-4.0.so.37+0x2415365)
previously allocated by thread T0 here:
#0 0x7f01af2a9dd9 in __interceptor_malloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f01aa7bfb3f in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (/usr/lib/libjavascriptcoregtk-4.0.so.18+0x17d9b3f)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0c068000e610: fa fa fa fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c068000e620: fa fa fa fa fa fa fa fa fd fd fd fa fa fa fd fd
0x0c068000e630: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x0c068000e640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068000e650: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fd fd
=>0x0c068000e660:[fd]fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
0x0c068000e670: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c068000e680: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c068000e690: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
0x0c068000e6a0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c068000e6b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2==ABORTING
Edited by Barnabás Pőcze