New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Feb 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
link

Issue 457493: Heap-double-free in j2k_read_ppm_v3

Reported by ha...@hboeck.de, Feb 11 2015

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.35 Safari/537.36

Steps to reproduce the problem:
1. Attached file will expose a double free in pdfium.

Will attach address sanitizer output.
 

Comment 1 by ha...@hboeck.de, Feb 11 2015

doublefree.pdf.asan.txt
4.4 KB View Download
doublefree.pdf
350 bytes Download

Comment 2 by ClusterFuzz, Feb 11 2015

Project Member
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5702547801636864

Comment 3 by jsc...@chromium.org, Feb 11 2015

This one isn't reproducing. What version were you testing against?

Comment 4 by ha...@hboeck.de, Feb 11 2015

I reproduced it with the pre-built asan package from here:
https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-symbolized-linux-release-315577.zip?generation=1423603643978000&alt=media

That's the version from yesterday. (the crash dump came from a version I built myself a while ago, but I always re-test against a recent pre-built version)

Comment 5 by jsc...@chromium.org, Feb 11 2015

Any special requirements? Did you have to give it a long timeout? Was it in 64-bit ASAN, etc?

Comment 6 by ClusterFuzz, Feb 12 2015

Project Member
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5703056486825984

Comment 7 by ClusterFuzz, Feb 12 2015

Project Member
Labels: Security_Impact-Stable Stability-Memory-AddressSanitizer
Status: Available

Comment 8 by ClusterFuzz, Feb 12 2015

Project Member
Summary: Heap-double-free in j2k_read_ppm_v3 (was: double free in pdfium / function j2k_read_ppm_v3)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5703056486825984

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-double-free
Crash Address: 0x6090000093e0
Crash State:
  j2k_read_ppm_v3
  opj_j2k_read_header_procedure
  opj_j2k_read_header
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=289356:289512

Minimized Testcase (0.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_bE1jGv895QtSnW3Y7ToJc5o4TJyifX5PNYwqM0IaON7dru17L-WgmbLJzaC_Rwt6qyRQV7hCy89yCHIqzQ1Q2p4Kd_5260iWSNnUDjFdHAj0kPRqXA0CkU1xcIJVnvCUcQ4VQp9P1fyyG_Ucr3pzYcfzKw

Comment 9 by ha...@hboeck.de, Feb 12 2015

Don't know if you still have an issue (latest clusterfuzz message indicates it's reproduced now), but this was on 64 bit linux, with asan enabled (using the pre-built asan packages), reproducible with running the attached pdf through pdfium_test

Comment 10 by jsc...@chromium.org, Feb 12 2015

Cc: tsepez@chromium.org
Labels: -OS-Linux OS-All Security_Severity-High M-40 Cr-Internals-Plugins-PDF
Owner: jun_f...@foxitsoftware.com
Status: Assigned

Comment 11 by ClusterFuzz, Feb 12 2015

Project Member
Labels: -Pri-2 Pri-1

Comment 12 by ClusterFuzz, Feb 20 2015

Project Member
Labels: -M-40 M-41

Comment 13 by ClusterFuzz, Feb 25 2015

Project Member
Labels: Nag
jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

Comment 14 by jun_f...@foxitsoftware.com, Feb 26 2015

Cc: kai_j...@foxitsoftware.com
Status: Started
It's pending in https://codereview.chromium.org/960183004/.

Comment 16 by ClusterFuzz, Feb 27 2015

Project Member
Labels: -Restrict-View-SecurityTeam M-42 Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 17 by timwillis@google.com, Mar 5 2015

Labels: reward-topanel

Comment 18 by timwillis@google.com, Mar 16 2015

Labels: -Merge-Triage Merge-Requested
Merge requested for M42.

Comment 19 by amin...@google.com, Mar 16 2015

Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.

Comment 20 by amineer@chromium.org, Mar 17 2015

Labels: -Merge-Review Merge-Approved
merge approved for m42

Comment 21 by ClusterFuzz, Mar 21 2015

Project Member
ClusterFuzz has detected this issue as fixed in range 321566:321633.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5703056486825984

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-double-free
Crash Address: 0x6090000093e0
Crash State:
  j2k_read_ppm_v3
  opj_j2k_read_header_procedure
  opj_j2k_read_header
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=289356:289512
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=321566:321633

Minimized Testcase (0.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96_bE1jGv895QtSnW3Y7ToJc5o4TJyifX5PNYwqM0IaON7dru17L-WgmbLJzaC_Rwt6qyRQV7hCy89yCHIqzQ1Q2p4Kd_5260iWSNnUDjFdHAj0kPRqXA0CkU1xcIJVnvCUcQ4VQp9P1fyyG_Ucr3pzYcfzKw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Comment 22 by timwillis@google.com, Mar 26 2015

@jun_fang: Please merge your fix to M42 (branch 2311).

Comment 23 by jun_f...@foxitsoftware.com, Mar 27 2015

It has been merged.

Comment 24 by timwillis@google.com, Mar 27 2015

Labels: -M-41

Comment 25 by amineer@chromium.org, Mar 31 2015

Labels: -Merge-Approved merge-merged-2311
Marking as merged per c#23.

Comment 26 by thestig@chromium.org, Mar 31 2015

We still need to roll DEPS on the branch to pick up the merge. I'll do it today when I merge + roll DEPS for  bug 465322 .

Comment 27 by bugdroid1@chromium.org, Mar 31 2015

Project Member
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=71114

------------------------------------------------------------------
r71114 | thestig@google.com | 2015-03-31T20:09:45.036236Z

-----------------------------------------------------------------

Comment 28 by timwillis@google.com, Apr 9 2015

Labels: -reward-topanel reward-unpaid reward-2000
Congratulations - $2000 for this report.

Notes from reward panel: "Doesn't look like there's control between use and free"

Someone from our finance team should be in contact in the next two weeks to arrange payment.

Thanks again for your report!

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 29 by timwillis@google.com, Apr 9 2015

Labels: Release-0-M42

Comment 30 by timwillis@google.com, May 6 2015

Labels: -reward-unpaid reward-inprocess

Comment 31 by ClusterFuzz, Jun 5 2015

Project Member
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.

Comment 32 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 33 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 34 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment