In June 2024, a critical vulnerability was uncovered in Skia, the popular 2D graphics library used by Google Chrome, Android, and many other products. This bug, tracked as CVE-2024-43767, was found in the prepare_to_draw_into_mask method of SkBlurMaskFilterImpl.cpp. Due to improper input validation, this issue opens up the possibility of a heap overflow – leading to remote code execution (RCE) with no user interaction and no need for elevated privileges.

In this exclusive article, we break down the vulnerability, explore how it works, demonstrate simple exploit code, and provide resources for further reading.

What Is Skia?

Skia is an open-source graphics library maintained by Google. It's embedded in Chrome, ChromeOS, Android, Flutter, and Mozilla Firefox. Because it works at such a foundational level, vulnerabilities in Skia can have sweeping security implications.

Severity: Critical

The vulnerable code attempts to process input without checking if the values are within safe, expected ranges – leading to writing past the end of a heap buffer.

Key Code Snippet

Here is a simplified version of the problematic function. Note how input values can result in uncontrolled allocations and writing outside intended buffer boundaries.

void prepare_to_draw_into_mask(int width, int height, const uint8_t* src) {
    // Vulnerable: no boundary check on width/height!
    size_t mask_size = width * height;
    uint8_t* mask = (uint8_t*)malloc(mask_size);

    memcpy(mask, src, mask_size); // Potential heap overflow if src is too large

    // ... further processing

    free(mask);
}

What's wrong:
If an attacker supplies crafted values for width or height (for example, via a malicious image or PDF), mask_size can wrap around or exceed the allocated heap buffer, causing the copy to overwrite memory. The absence of checks for maximum allowed size, negative numbers, or integer overflows is the crux of the bug.

How Is This Exploited?

Since Skia processes untrusted content (like images, PDFs, and web pages), a remote attacker can craft a file that, when processed by an affected product, triggers the overflow and injects code.

Exploit Chain Overview

1. Prepare malicious input: Create an image or document with crafted dimensions and data that trigger large or negative values.
2. Send to vulnerable application: Deliver via email, browser, or web page – user does not need to click anything if automatic rendering is enabled.
3. Heap overflow triggers: Code execution happens with the privileges of the application (often the browser or viewer process).

Proof of Concept (Simplified Pseudocode)

# Example: Python pseudocode for malicious image
width = xFFFFFFF  # Large value to cause integer wrap/overflow
height = 8
data = b'A' * 100  # Malicious payload

# Pack into a format used by the application (e.g., fake PNG, PDF)
malicious_file = create_file_with_dimensions(width, height, data)

save("exploit_file.img", malicious_file)

Delivering exploit_file.img to a vulnerable target would trigger the exploit.

Official CVE entry:

NVD: CVE-2024-43767 *(Link may update as info becomes public)*

Upstream Skia patch:

Skia Git commit fixing CVE-2024-43767

Android Security Bulletin:

Android June 2024 Security Bulletin

Chrome Stable Update:

Chrome Releases blog

Conclusion

CVE-2024-43767 is a high-impact Skia vulnerability with far-reaching consequences for Chrome, Android, and any application using Skia. Improper input validation in prepare_to_draw_into_mask makes heap overflow and RCE possible from just opening the wrong content – without a single user click. Update your software, and keep a sharp eye on third-party dependencies for maximum protection.


> Stay safe and updated. Vulnerabilities like this show how a single line of unchecked code can put millions at risk.

Further Reading

- Project Zero – Understanding Heap Overflows
- Skia Docs
- Memory Safety in C/C++


*This post was researched and written exclusively for you. For detailed technical questions, consult the official Skia maintainers or the Chrome security team.*

Timeline

Published on: 01/03/2025 01:15:07 UTC
Last modified on: 01/03/2025 23:15:06 UTC