Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
User never visited
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Heap-buffer-overflow in color_sycc_to_rgb
Reported by cloudfuz...@gmail.com, Sep 30 2014 Back to list
VULNERABILITY DETAILS
The attached testcase crashes the latest ASAN build of pdfium_test as follows:
=================================================================
==30705==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f766c24f700 at pc 0x00000064758c bp 0x7fff8f76e330 sp 0x7fff8f76e328
READ of size 4 at 0x7f766c24f700 thread T0
    #0 0x64758b in sycc422_to_rgb(opj_image*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:171:13
    #1 0x645c84 in color_sycc_to_rgb(opj_image*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:294:9
    #2 0x64824f in CJPX_Decoder::Init(unsigned char const*, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:644:9
    #3 0x649980 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:764:10
    #4 0x5d5f41 in CPDF_DIBSource::LoadJpxBitmap() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:643:21
    #5 0x5d1bab in CPDF_DIBSource::CreateDecoder() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:599:9
    #6 0x5cea18 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335:15
    #7 0x5c13fd in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:310:15
    #8 0x5c1123 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #9 0x5ddb20 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1489:15
    #10 0x5de543 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1549:19
    #11 0x5c5db9 in CPDF_ImageRenderer::StartLoadDIBSource() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:371:9
    #12 0x5c258d in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:525:9
    #13 0x5b81f6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:350:14
    #14 0x5be755 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1175:21
    #15 0x4aaa58 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:789:2
    #16 0x4aadf0 in FPDF_RenderPageBitmap /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:586:2
    #17 0x4a6875 in RenderPdf(char const*, char const*, unsigned long, OutputFormat) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:324:5
    #18 0x4a7329 in main /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:406:7
    #19 0x7f766e9aaec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #20 0x42299c in _start ??:0:0

0x7f766c24f700 is located 0 bytes to the right of 1195776-byte region [0x7f766c12b800,0x7f766c24f700)
allocated by thread T0 here:
    #0 0x4898f0 in __interceptor_calloc ??:0:0
    #1 0x737521 in opj_j2k_update_image_data /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7748:62
    #2 0x738500 in opj_j2k_decode_tiles /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9184:23
    #3 0x72ccd1 in opj_j2k_exec /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7048:41
    #4 0x7354a0 in opj_j2k_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9368:15
    #5 0x650ae9 in opj_jp2_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1332:8
    #6 0x64808a in CJPX_Decoder::Init(unsigned char const*, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:624:15
    #7 0x649980 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:764:10
    #8 0x5d5f41 in CPDF_DIBSource::LoadJpxBitmap() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:643:21
    #9 0x5d1bab in CPDF_DIBSource::CreateDecoder() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:599:9
    #10 0x5cea18 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335:15
    #11 0x5c13fd in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:310:15
    #12 0x5c1123 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #13 0x5ddb20 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1489:15
    #14 0x5de543 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1549:19
    #15 0x5c5db9 in CPDF_ImageRenderer::StartLoadDIBSource() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:371:9
    #16 0x5c258d in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:525:9
    #17 0x5b81f6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:350:14
    #18 0x5be755 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1175:21
    #19 0x4aaa58 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:789:2
    #20 0x4aadf0 in FPDF_RenderPageBitmap /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:586:2
    #21 0x4a6875 in RenderPdf(char const*, char const*, unsigned long, OutputFormat) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:324:5
    #22 0x4a7329 in main /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:406:7
    #23 0x7f766e9aaec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0fef4d841e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fef4d841ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fef4d841eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fef4d841ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fef4d841ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fef4d841ee0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fef4d841ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fef4d841f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fef4d841f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fef4d841f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fef4d841f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==30705==ABORTING


VERSION
Chrome Version: latest asan build of pdfium_test

REPRODUCTION CASE
Attached in repro.pdf
 
repro.pdf
56.4 KB Download
Project Member Comment 1 by clusterf...@chromium.org, Sep 30 2014
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5822145306296320
Project Member Comment 2 by clusterf...@chromium.org, Sep 30 2014
Summary: Heap-buffer-overflow in color_sycc_to_rgb (was: Security: heap-buffer-overflow in sycc422_to_rgb)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5822145306296320

Uploader: felt@chromium.org
Job Type: Linux_asan_pdfium

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f4208c0b700
Crash State:
  color_sycc_to_rgb
  CJPX_Decoder::Init
  CCodec_JpxModule::CreateDecoder
  

Minimized Testcase (56.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95vOPd9lclBxOFd7_7IWmT-_mn7MxpcgmlDnqUaJeNOye40HwdRu_ysoExLy-dGjMft8erUv5h6I5imxf4uJ494I5pxlJRtCugVOCvyhc5I6evBhImIkTtBnDjQTp6_hY9izIxSFPLlFm51CTzNWuH_XgCooSdQfoBnod89V1dD-np9zIU


Project Member Comment 3 by clusterf...@chromium.org, Sep 30 2014
Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer
Status: Available
Labels: M-39 Security_Severity-Medium
Project Member Comment 5 by clusterf...@chromium.org, Sep 30 2014
Labels: Pri-1
Comment 6 by f...@chromium.org, Oct 1 2014
Labels: Cr-Internals-Plugins-PDF
Owner: bo...@foxitsoftware.com
Project Member Comment 7 by clusterf...@chromium.org, Oct 9 2014
Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: anto...@gmail.com
@antonin, can you take a look at this one. The crash is not inside jp2, but it looks like the image from opj_read_header or opj_decode has invalid member values.
Cc: m.darb...@gmail.com
Project Member Comment 11 by clusterf...@chromium.org, Oct 11 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Release-0-M40
let it roll into m40.
Labels: reward-topanel
Project Member Comment 14 by clusterf...@chromium.org, Jan 17 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-topanel reward-unpaid reward-1000 CVE-2014-7944
Congratulations - $1000 for this report.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 18 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 19 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment