New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment
Google Chrome hang when parsing a PDF
Reported by francisp...@gmail.com, Feb 16 2015 Back to list
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Steps to reproduce the problem:
open the pdf with chrome

What is the expected behavior?
The PDF loaded or rejected

What went wrong?
The PDF dosent been rendered correctly

Did this work before? N/A 

Chrome version: Version 40.0.2214.111 m  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 12.0 r0

It's seem to be a memory corruption error, when Google Chrome parse a PDF with an invalid Data in a Stream.
 
Google Chrome PDFium.rar
826 KB Download
Comment 1 by wfh@chromium.org, Feb 16 2015
Cc: tsepez@chromium.org raymes@chromium.org
Labels: Cr-Internals-Plugins-PDF
Summary: Google Chrome hang when parsing a PDF (was: Google Chrome hanf when parsing a PDF)
Project Member Comment 2 by ClusterFuzz, Feb 16 2015
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4788958731436032
Project Member Comment 3 by ClusterFuzz, Feb 16 2015
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6266702359166976
Comment 4 by wfh@chromium.org, Feb 17 2015
Labels: -Restrict-View-SecurityTeam -Type-Bug-Security Type-Bug M-40
Owner: sa...@chromium.org
Status: Assigned
This does not affect beta, dev or canary but affects stable.  I get following stack frozen on Stable on CrRendererMain

3:174> k
ChildEBP RetAddr
>>>these stack frames are in motion using 100% cpu. 
007dea7c 100b8f27 pdf!PS_Conv_Strtol+0x8c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\psaux\psconv.c @ 129]
007dea98 100b873c pdf!PS_Conv_ToInt+0x1b [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\psaux\psconv.c @ 171]
007deab0 100aae55 pdf!ps_parser_to_int+0x16 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\psaux\psobjs.c @ 1364]
007deae8 100adb27 pdf!parse_encoding+0x2c7 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\type1\t1load.c @ 1276]
>>>stack frame below here are stable:
007deb04 100ad70a pdf!t1_load_keyword+0x2f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\type1\t1load.c @ 932]
007deb3c 100acb9f pdf!parse_dict+0x300 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\type1\t1load.c @ 2003]
007decf0 100a9802 pdf!T1_Open_Face+0xd3 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\type1\t1load.c @ 2110]
007ded20 10096601 pdf!T1_Face_Init+0x6a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\type1\t1objs.c @ 339]
007ded58 10093e94 pdf!open_face+0xba [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\base\ftobjs.c @ 1184]
007deda8 10093cb5 pdf!FPDFAPI_FT_Open_Face+0x110 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\base\ftobjs.c @ 2109]
007dede0 10081d9b pdf!FPDFAPI_FT_New_Memory_Face+0x38 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\fx_freetype\fxft2.5.01\src\base\ftobjs.c @ 1269]
007dee00 100820c8 pdf!FT_LoadFont+0x49 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\ge\fx_ge_font.cpp @ 174]
007dee24 0fff103e pdf!CFX_Font::LoadEmbedded+0x2e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxge\ge\fx_ge_font.cpp @ 193]
007dee58 0fff0b30 pdf!CPDF_Font::LoadFontDescriptor+0x26c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_font\fpdf_font.cpp @ 300]
007dee98 0fff2287 pdf!CPDF_SimpleFont::LoadCommon+0x40 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_font\fpdf_font.cpp @ 951]
007deeb4 0fff00bb pdf!CPDF_Type1Font::_Load+0xe5 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_font\fpdf_font.cpp @ 1068]
007deed4 0ffef90b pdf!CPDF_Font::Load+0x9d [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_font\fpdf_font.cpp @ 494]
007def04 0ffdca20 pdf!CPDF_Font::CreateFontF+0x263 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_font\fpdf_font.cpp @ 478]
007def24 0ffdd112 pdf!CPDF_DocPageData::GetFont+0x86 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_doc.cpp @ 307]
007def34 100069c5 pdf!CPDF_Document::LoadFont+0x1e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_doc.cpp @ 86]
007def50 1000537b pdf!CPDF_StreamContentParser::FindFont+0x34 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_parser.cpp @ 1310]
007def68 10006f65 pdf!CPDF_StreamContentParser::Handle_SetFont+0x63 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_parser.cpp @ 1270]
007def7c 10003083 pdf!CPDF_StreamContentParser::OnOperator+0x70 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_parser.cpp @ 381]
007df0ac 100026ba pdf!CPDF_StreamContentParser::Parse+0xb8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_parser_old.cpp @ 62]
007df0f8 0ffe0992 pdf!CPDF_ContentParser::Continue+0x1ff [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page_parser_old.cpp @ 1092]
007df10c 0ffe14ea pdf!CPDF_PageObjects::ContinueParse+0x16 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page.cpp @ 705]
007df11c 0ffaa26f pdf!CPDF_Page::ParseContent+0x1a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_page\fpdf_page.cpp @ 906]
007df138 0ffa8485 pdf!FPDF_LoadPage+0x63 [c:\b\build\slave\win\build\src\third_party\pdfium\fpdfsdk\src\fpdfview.cpp @ 376]
007df154 0ffa11c3 pdf!chrome_pdf::PDFiumPage::GetPage+0x35 [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_page.cc @ 85]
007df164 0ffa074e pdf!chrome_pdf::PDFiumEngine::FinishLoadingDocument+0x4c [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 911]
007df198 0ffa319c pdf!chrome_pdf::PDFiumEngine::ContinueLoadingDocument+0x168 [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 2247]
007df1d4 0ffa378e pdf!chrome_pdf::PDFiumEngine::LoadDocument+0xb3 [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 2146]
007df1fc 0ff8c172 pdf!chrome_pdf::PDFiumEngine::OnDocumentComplete+0xef [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 898]
007df228 0ff8b288 pdf!chrome_pdf::DocumentLoader::ReadComplete+0x8c [c:\b\build\slave\win\build\src\pdf\document_loader.cc @ 467]
007df260 0ff9c7c2 pdf!chrome_pdf::DocumentLoader::DidRead+0x18c [c:\b\build\slave\win\build\src\pdf\document_loader.cc @ 448]
(Inline) -------- pdf!pp::CompletionCallbackFactory<PaintManager,pp::ThreadSafeThreadTraits>::Dispatcher0<void (__thiscall PaintManager::*)(int)>::operator()+0xc [c:\b\build\slave\win\build\src\ppapi\utility\completion_callback_factory.h @ 605]
007df270 52d53586 pdf!pp::CompletionCallbackFactory<PaintManager,pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<PaintManager,pp::ThreadSafeThreadTraits>::Dispatcher0<void (__thiscall PaintManager::*)(int)> >::Thunk+0x22 [c:\b\build\slave\win\build\src\ppapi\utility\completion_callback_factory.h @ 584]
007df280 52f5952d chrome_child!PP_RunCompletionCallback+0xe [c:\b\build\slave\win\build\src\ppapi\c\pp_completion_callback.h @ 240]
007df290 52d53771 chrome_child!ppapi::CallWhileUnlocked<void,int,enum PP_Bool,int,enum PP_Bool>+0x15 [c:\b\build\slave\win\build\src\ppapi\shared_impl\proxy_lock.h @ 134]
007df2c8 52f3afcc chrome_child!ppapi::TrackedCallback::Run+0xe9 [c:\b\build\slave\win\build\src\ppapi\shared_impl\tracked_callback.cc @ 148]
007df2d8 52f3aadc chrome_child!ppapi::proxy::URLLoaderResource::RunCallback+0x29 [c:\b\build\slave\win\build\src\ppapi\proxy\url_loader_resource.cc @ 363]
007df2e8 52f3acda chrome_child!ppapi::proxy::URLLoaderResource::OnPluginMsgFinishedLoading+0x42 [c:\b\build\slave\win\build\src\ppapi\proxy\url_loader_resource.cc @ 310]
(Inline) -------- chrome_child!ppapi::proxy::DispatchResourceReply+0xe [c:\b\build\slave\win\build\src\ppapi\proxy\dispatch_reply_message.h @ 33]
007df3d0 51e34511 chrome_child!ppapi::proxy::URLLoaderResource::OnReplyReceived+0x93 [c:\b\build\slave\win\build\src\ppapi\proxy\url_loader_resource.cc @ 250]
007df414 52e09b09 chrome_child!content::PepperInProcessRouter::OnPluginMsgReceived+0x84 [c:\b\build\slave\win\build\src\content\renderer\pepper\pepper_in_process_router.cc @ 98]
007df424 52e09b81 chrome_child!content::PepperInProcessRouter::DispatchPluginMsg+0x10 [c:\b\build\slave\win\build\src\content\renderer\pepper\pepper_in_process_router.cc @ 162]
(Inline) -------- chrome_child!base::internal::RunnableAdapter<void (__thiscall content::PepperInProcessRouter::*)(IPC::Message *)>::Run+0x8 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 190]
007df438 52e09b9a chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall content::PepperInProcessRouter::*)(IPC::Message *)>,void __cdecl(base::WeakPtr<content::PepperInProcessRouter> const &,IPC::Message *)>::MakeItSo+0x36 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 909]
007df44c 51d4823d chrome_child!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall content::PepperInProcessRouter::*)(IPC::Message *)>,void __cdecl(content::PepperInProcessRouter *,IPC::Message *),void __cdecl(base::WeakPtr<content::PepperInProcessRouter>,base::internal::OwnedWrapper<IPC::Message>)>,void __cdecl(content::PepperInProcessRouter *,IPC::Message *)>::Run+0x15 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 1253]
(Inline) -------- chrome_child!base::Callback<void __cdecl(void)>::Run+0xb [c:\b\build\slave\win\build\src\base\callback.h @ 401]
007df4fc 51d47bfb chrome_child!base::debug::TaskAnnotator::RunTask+0x39c [c:\b\build\slave\win\build\src\base\debug\task_annotator.cc @ 63]
007df534 51d47a86 chrome_child!base::MessageLoop::RunTask+0xe4 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 449]
(Inline) -------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x115 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 456]
007df678 51d4993e chrome_child!base::MessageLoop::DoWork+0x375 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 566]
007df6a4 51d47660 chrome_child!base::MessagePumpDefault::Run+0xc8 [c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc @ 33]
007df6c8 51d47568 chrome_child!base::MessageLoop::RunHandler+0x65 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 416]
007df6f0 51d48b6f chrome_child!base::RunLoop::Run+0x88 [c:\b\build\slave\win\build\src\base\run_loop.cc @ 56]
007df714 51daa374 chrome_child!base::MessageLoop::Run+0x46 [c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc @ 309]
007df99c 51d4068f chrome_child!content::RendererMain+0x292 [c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc @ 235]
007df9b0 51d4060b chrome_child!content::RunNamedProcessTypeMain+0x61 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 423]
007dfa10 51d2d2b0 chrome_child!content::ContentMainRunnerImpl::Run+0x66 [c:\b\build\slave\win\build\src\content\app\content_main_runner.cc @ 789]
007dfa20 51d2c314 chrome_child!content::ContentMain+0x23 [c:\b\build\slave\win\build\src\content\app\content_main.cc @ 19]
007dfa68 00d94f9f chrome_child!ChromeMain+0x61 [c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc @ 60]
007dfaf8 00d94c1f chrome!MainDllLoader::Launch+0x15f [c:\b\build\slave\win\build\src\chrome\app\client_util.cc @ 206]
007dfb3c 00db664a chrome!wWinMain+0x5a [c:\b\build\slave\win\build\src\chrome\app\chrome_exe_main_win.cc @ 169]
007dfb88 7723919f chrome!__tmainCRTStartup+0xfd [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 251]
007dfb94 7789b5af KERNEL32!BaseThreadInitThunk+0xe
007dfbdc 7789b57a ntdll!__RtlUserThreadStart+0x2f
007dfbec 00000000 ntdll!_RtlUserThreadStart+0x1b

I bisected to:

You are probably looking for a change made after 312706 (known bad), but no later than 312732 (first known good).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/890e650..1753adb?pretty=fuller&n=1000

There's two PDF CLs in this range - c5eb526d0e15b28dbbbcaae87d82e022e413b20d (sammc) and c121c2269073e9249c982d9ba7c3301cb6e778a7 (raymes)

This is, at most, a functional bug we might want to merge back into M40
Comment 5 by raymes@chromium.org, Feb 17 2015
Neither of those two CLs should have any impact on the in-process PDF viewer that is enabled on stable.
Comment 6 by wfh@chromium.org, Feb 17 2015
Status: WontFix
Well, since M40 is well and truly out the door, and it's fixed in M41 and beyond, and it's not a security bug, there really isn't much to do here.  Closing.
Comment 7 by sa...@chromium.org, Feb 17 2015
Cc: sa...@chromium.org
Labels: -OS-Windows -M-40 OS-All M-42
Owner: ----
Status: Available
I can repro on Linux Dev at r315192 but not with a local build at r316410, nor with Beta (41.0.2272.53).

It looks like it's a PDFium issue.
Comment 8 by wfh@chromium.org, Feb 17 2015
I can't repro on latest canary 42.0.2306.0
Comment 9 by raymes@chromium.org, Feb 17 2015
We couldn't repro it on the latest canary either which is good! But given
that it's come up and gone away a few times (by the looks of it) there
could be something else which is impacting whether the bug is triggered.
Labels: -M-42 M-43 MovedFrom-42
Status: Untriaged
[AUTO] Moving all non essential bugs to the next Milestone.  (This decision is based on the labels attached to your ticket.)


Ref: https://sites.google.com/a/chromium.org/dev/developers/ticket-milestone-punting-1
Labels: -M-43 MovedFrom-43
[AUTO] This issue has already been moved once and is lower than Priority 1,therefore removing mstone.
Labels: Needs-Feedback
OS: Win7
Chrome version: 46.0.2486.0 dev-m

Unable to reproduce rendering issue after loading Original.pdf & poc.pdf files. No issue observed.

raymes@, wfh@: Do we still plan to keep this bug open. Since there are no recent reports on this issue shall I go ahead and close it.
I have no plan to investigate. wfh: thoughts?
Labels: -Needs-Feedback
At least on Linux with pdfium_test, it's hanging the system libfreetype.so. The hang stopped when pdfium_test switched over to using a bundled libfreetype. Annoyingly, there's no symbols for the Ubuntu libfreetype6 package, so I can't see where it's hanging easily.
*hanging in the*
Status: ExternalDependency
This is http://savannah.nongnu.org/bugs/index.php?41590

On non-Linux platforms, it's no longer a problem because the copy of freetype there has been patched since comment 4.

On Linux, it's up to the Linux distros to patch.
Owner: thestig@chromium.org
Status: Fixed
Ubuntu pushed out updates for their libfreetype6.
Sign in to add a comment