New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 446033 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Jan 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

UNKNOWN in Read_CVT

Reported by cloudfuz...@gmail.com, Jan 4 2015

Issue description

VULNERABILITY DETAILS

ASAN:SIGSEGV
=================================================================
==14904==ERROR: AddressSanitizer: SEGV on unknown address 0x123a8000c510 (pc 0x0000008ed05c bp 0x7fffaab61d80 sp 0x7fffaab61d70 T0)
    #0 0x8ed05b in Read_CVT /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttinterp.c:1615
    #1 0x8f833b in Ins_MIRP /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttinterp.c:6582
    #2 0x8e9783 in FPDFAPI_TT_RunIns /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttinterp.c:8819
    #3 0x908a7d in tt_size_run_prep /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttobjs.c:886
    #4 0x907d33 in tt_size_ready_bytecode /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttobjs.c:1098
    #5 0x9019ef in tt_loader_init /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttgload.c:1990
    #6 0x9012ec in TT_Load_Glyph /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/truetype/ttgload.c:2258
    #7 0x85eb8c in FPDFAPI_FT_Load_Glyph /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/fx_freetype/src/../fxft2.5.01/src/base/ftobjs.c:721
    #8 0x89aebd in CFX_FaceCache::RenderGlyph(CFX_Font*, unsigned int, int, CFX_Matrix const*, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/ge/fx_ge_text.cpp:1338
    #9 0x89a8a6 in CFX_FaceCache::LookUpGlyphBitmap(CFX_Font*, CFX_Matrix const*, CFX_ByteStringC&, unsigned int, int, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/ge/fx_ge_text.cpp:1094
    #10 0x899012 in CFX_FaceCache::LoadGlyphBitmap(CFX_Font*, unsigned int, int, CFX_Matrix const*, int, int, int&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/ge/fx_ge_text.cpp:1137
    #11 0x88e698 in CFX_RenderDevice::DrawNormalText(int, FXTEXT_CHARPOS const*, CFX_Font*, CFX_FontCache*, float, CFX_Matrix const*, unsigned int, unsigned int, int, void*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxge/ge/fx_ge_text.cpp:235
    #12 0x5ecbb3 in CPDF_TextRenderer::DrawNormalText(CFX_RenderDevice*, int, unsigned int*, float*, CPDF_Font*, float, CFX_Matrix const*, unsigned int, CPDF_RenderOptions const*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp:684
    #13 0x5e9c1e in CPDF_RenderStatus::ProcessText(CPDF_TextObject const*, CFX_Matrix const*, CFX_PathData*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp:288
    #14 0x5b4ae2 in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:399
    #15 0x5b4f0c in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:344
    #16 0x5bb415 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1133
    #17 0x4a8d86 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:726
    #18 0x4a9130 in FPDF_RenderPageBitmap /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:524
    #19 0x4a3ab9 in RenderPdf /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:426
    #20 0x4a4724 in main /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:512
    #21 0x7f4cb66f5ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14904==ABORTING


VERSION
Chrome Version: asan-symbolized-linux-release-309428

REPRODUCTION CASE
Attached as repro.pdf


 
repro.pdf
525 KB Download
Project Member

Comment 1 by ClusterFuzz, Jan 4 2015

ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4854469152997376
Cc: jun_f...@foxitsoftware.com
Labels: Cr-Internals-Plugins-PDF Pri-1 OS-All
Owner: bo...@foxitsoftware.com
Status: Assigned
Project Member

Comment 3 by ClusterFuzz, Jan 4 2015

Summary: UNKNOWN in Read_CVT (was: Security: SEGV on unknown address in Read_CVT )
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4854469152997376

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: UNKNOWN
Crash Address: 0x123a8000c510
Crash State:
  Read_CVT
  FPDFAPI_TT_RunIns
  tt_size_run_prep
  

Minimized Testcase (525.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bdoZyAazncDoxzOCk62ynrgBYjUBBuKCRTA4nRPhS098609zdCWqZvOk685iagCmTH5xtiRD-mL83LxcWqDLaBYfrh6fP2NcKjyCHRahWwXEexuTNaCx9TuWbXTUTJMghrrX1MnKl-MWT8amGiPlLn7QAf5CwxXlAhzGGJaQHLHDtMQM


Project Member

Comment 4 by ClusterFuzz, Jan 4 2015

Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer

Comment 5 by f...@chromium.org, Jan 4 2015

Labels: Security_Severity-High M-39
Cc: thestig@chromium.org
freetype has been updated in https://pdfium.googlesource.com/pdfium/+/b3a323016ab64d3f3ff044a5d7084c272327692e but not rolled to chromium yet.
please mark as status=Fixed once pdfium roll happens and freetype is updated.
Cc: tsepez@chromium.org
tsepez is doing the roll: https://codereview.chromium.org/789613007/

Comment 10 by aarya@google.com, Jan 6 2015

Status: Fixed
Thanks Tom - https://crrev.com/6ae67338f424ae28d3cd1344282dfb7391ad3025
Project Member

Comment 11 by ClusterFuzz, Jan 7 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-40 M-41 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Isn't this the same as  bug 387964 ?
Project Member

Comment 13 by ClusterFuzz, Jan 7 2015

ClusterFuzz has detected this issue as fixed in range 310098:310217.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4854469152997376

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: UNKNOWN
Crash Address: 0x123a8000c510
Crash State:
  Read_CVT
  FPDFAPI_TT_RunIns
  tt_size_run_prep
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=310098:310217

Minimized Testcase (525.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bdoZyAazncDoxzOCk62ynrgBYjUBBuKCRTA4nRPhS098609zdCWqZvOk685iagCmTH5xtiRD-mL83LxcWqDLaBYfrh6fP2NcKjyCHRahWwXEexuTNaCx9TuWbXTUTJMghrrX1MnKl-MWT8amGiPlLn7QAf5CwxXlAhzGGJaQHLHDtMQM

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

387964 was a null pointer crash, and this one is security related, stack looks similar. no idea if the same. but these look like all old freetype bugs that got nuked with update.
Labels: -Merge-Triage -M-40 -M-41 Merge-NA Release-0-M41
Labels: reward-topanel
Cc: mjurczyk@google.com
Labels: -Security_Severity-High Security_Severity-Medium
Updating severity
Labels: -reward-topanel reward-1000 reward-unpaid CVE-2015-1225
Congrats - $1000 for this report.
Labels: -reward-unpaid reward-inprocess
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Project Member

Comment 22 by ClusterFuzz, Apr 14 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment