CVE-2024-8636 - Heap Buffer Overflow in Skia - How a Crafted HTML Page Can Hack Your Chrome
In early 2024, a serious security bug—CVE-2024-8636—was found in the Skia graphics library, which is used by Google Chrome. Chrome versions before 128..6613.137 were affected. This bug is a heap buffer overflow, and it could let a remote attacker cause a heap corruption just by getting you to visit a specially-crafted HTML page.
This post explains how the vulnerability works, where the problem is in code, how it’s exploited, and how you can protect yourself.
Understanding Heap Buffer Overflow in Skia
Buffer overflow is when a program writes more data to a memory buffer than it was supposed to. This can overwrite adjacent memory and cause unexpected behavior. When this happens on the heap—a part of memory used for dynamic objects—it’s called a heap buffer overflow.
Skia is the open-source 2D graphics library behind Google Chrome’s rendering engine. It draws everything: text, images, shapes, and more. A bug in Skia means anything rendered by Chrome can trigger vulnerable code.
Where’s the Bug? (The Code Snippet)
The issue was found in Skia’s image processing routines, specifically in how Skia handled certain image data during HTML parsing.
Here’s a _simplified_ version of problematic code
// Pseudocode based on Skia's vulnerable code path
void processImageData(const uint8_t* inputData, size_t inputSize) {
uint8_t buffer[256];
memcpy(buffer, inputData, inputSize); // Oops! inputSize not checked
}
The problem? If inputSize is bigger than buffer, we write outside the boundaries—leading to heap corruption.
In Skia, the code involving copying and processing image/color data didn’t always check that the image provided by the attacker wasn't too big for the destination buffer. Skia trusted the size fields in the image data coming from the HTML, allowing an attacker to craft malicious input.
Crafting the Exploit
A real-world attack involves a specially crafted HTML page that includes an image, SVG, or canvas code designed to hit the vulnerable Skia path. The attacker submits image data that’s bigger than expected, and due to lack of bounds checks, Chrome’s Skia code writes outside its buffer.
Example: Malicious HTML
<!-- Example illustration - not actual exploit -->
<img src="evil_image.png">
The evil_image.png is not a normal image; instead, its internal structure and metadata are crafted such that parsing triggers the buffer overflow.
Victim opens the page in Chrome (prior to 128..6613.137).
3. Chrome loads a malicious image/SVG.
Buffer overflow happens, corrupting heap memory.
6. Attackers can gain control of execution, potentially running arbitrary code or crashing the browser.
In advanced cases, a determined attacker could use heap corruption to break out of Chrome's sandbox or even run code on the victim’s computer.
How Dangerous Is This?
- Severity: HIGH. Anyone who visits a malicious site is at risk. No interaction required besides opening the page.
How Was It Fixed?
The Chrome team fixed the bug by adding input validation—making sure the input size can’t exceed the buffer.
Patch example
// Fixed code (check the size!)
if (inputSize <= sizeof(buffer)) {
memcpy(buffer, inputData, inputSize);
}
Or better yet, using memory-safe functions
memcpy_s(buffer, sizeof(buffer), inputData, inputSize);
References and Official Links
- Google Chrome Releases - Stable Channel Update
- Chromium Security Advisories
- Security bug entry on Chromium *(May require permissions)*
- Skia GitHub Repository
Summary
CVE-2024-8636 was a serious bug in Chrome’s Skia graphics library. It allowed hackers to exploit Chrome users through a simple HTML page containing a crafted image. Google patched the problem, but only if you update your browser. Always keep your apps updated—not just for features, but for your safety!
Timeline
Published on: 09/11/2024 14:15:13 UTC
Last modified on: 09/13/2024 14:35:08 UTC