New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
User never visited
Closed: Jan 2015
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment
UNKNOWN in CPDF_DataAvail::CheckTrailer
Reported by ha...@hboeck.de, Jan 22 2015 Back to list
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36

Steps to reproduce the problem:
1. run pdfium with asan on attached malformed pdf (with malformed jbig2 image embedded)
2. see asan crash dump:

==20188==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000087cf2a sp 0x7fff6df8df10 bp 0x000000000000 T0)
    #0 0x87cf29 in CPDF_DataAvail::CheckTrailer(IFX_DownloadHints*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:3832
    #1 0x8abfea in CPDF_DataAvail::CheckDocStatus(IFX_DownloadHints*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:3003
    #2 0x8abfea in CPDF_DataAvail::IsDocAvail(IFX_DownloadHints*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2933
    #3 0x478428 in FPDFAvail_IsDocAvail fpdfsdk/src/fpdf_dataavail.cpp:117
    #4 0x46711d in RenderPdf(std::string const&, char const*, unsigned long, OutputFormat) samples/pdfium_test.cc:381
    #5 0x443262 in main samples/pdfium_test.cc:512
    #6 0x7fe0fc5f5f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #7 0x4653ed (/data/pdfium-asanized/out/Debug/pdfium_test+0x4653ed)

What is the expected behavior?

What went wrong?
shouldn't segfault

Did this work before? N/A 

Chrome version: 40.0.2214.85  Channel: beta
OS Version: 
Flash Version: Shockwave Flash 16.0 r0

 
Looks like you forgot to attach the pdf.
Comment 2 by ha...@hboeck.de, Jan 22 2015
1080.pdf.asan.log
1.2 KB View Download
1080.pdf
8.8 KB Download
Project Member Comment 3 by clusterf...@chromium.org, Jan 22 2015
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5681195403706368
Why is this a security vulnerability, looks like a null ptr crash ? Please explain.
Project Member Comment 5 by clusterf...@chromium.org, Jan 22 2015
Summary: UNKNOWN in CPDF_DataAvail::CheckTrailer (was: pdfium segfault in CPDF_DataAvail::CheckTrailer on malformed jbig2)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5681195403706368

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  CPDF_DataAvail::CheckTrailer
  CPDF_DataAvail::CheckDocStatus
  CPDF_DataAvail::IsDocAvail
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=307685:308523

Minimized Testcase (8.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96KfVwhMYxdtKbq8VV2RenArNnx6R34NxxUfwKqYHxum-i39heMtGUstX__H056xAKz5yUbjI72wUNxEFIKBJFxejlM2ualZvPnydhsfmQ3IzHmH_ov_laWMFHVHkjtdELsBjSB9hk4MXiC1XHubkSqa1vG_g


Project Member Comment 6 by clusterf...@chromium.org, Jan 22 2015
Labels: Stability-Memory-AddressSanitizer Security_Impact-Head
Status: Available
Comment 7 by rickyz@chromium.org, Jan 22 2015
Owner: bo...@foxitsoftware.com
Adding Bo, who added the crashing line: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp&l=3831

Did you mean to add that check below the if (!pTrailer)?
Cc: kcc@chromium.org glider@chromium.org
 Issue 450967  has been merged into this issue.
Cc: -glider@chromium.org -kcc@chromium.org
Labels: -Restrict-View-SecurityTeam -Type-Bug-Security -Security_Impact-Head Type-Bug
harmless null crash
Status: Started
@rickyz, you are right. Patch is in https://codereview.chromium.org/866003003/
Project Member Comment 12 by clusterf...@chromium.org, Jan 30 2015
ClusterFuzz has detected this issue as fixed in range 313308:313418.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5681195403706368

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  CPDF_DataAvail::CheckTrailer
  CPDF_DataAvail::CheckDocStatus
  CPDF_DataAvail::IsDocAvail
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=307685:308523
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=313308:313418

Minimized Testcase (8.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96KfVwhMYxdtKbq8VV2RenArNnx6R34NxxUfwKqYHxum-i39heMtGUstX__H056xAKz5yUbjI72wUNxEFIKBJFxejlM2ualZvPnydhsfmQ3IzHmH_ov_laWMFHVHkjtdELsBjSB9hk4MXiC1XHubkSqa1vG_g

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Sign in to add a comment