New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 459654 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 446032
Owner:
Last visit > 30 days ago
Closed: May 2015
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment

Security: write to a bogus ptr in pdfium

Project Member Reported by lcamtuf@google.com, Feb 18 2015

Issue description

This test case makes pdfium_test attempt to write to bogus pointers when earlier allocations fail (possibly due to an OOO condition triggered by external factors).

I have several AFL-generated test cases that trigger very varied write addresses, so I suspect this is exploitable if you can get the right alloc to fail.

To repro (64 bit):

$ printf "%%PDF\n1 0 obj<</Pages 2 0 R>>2 0 obj<</Contents[3 0 R>>3 0 obj<<>>stream\n3 1>0\000cm 3 0 1>0 cm>>>m\000v>Sendstream\000trailer<</Root 1 0 R>>" >test.pdf
$ ulimit -Sv $[110 << 10]; ./pdfium_test test.pdf

PDF downloadable here in case that line wrap does something horrible to the printf statement: http://lcamtuf.coredump.cx/afl/vulns/test.pdf

#0  0x0000000000d89fe0 in agg::outline_aa::render_line(int, int, int, int) ()
#1  0x0000000000d8e775 in agg::outline_aa::line_to(int, int) ()
#2  0x0000000000d6828a in agg::rasterizer_scanline_aa::add_vertex(float, float, unsigned int) ()
#3  0x0000000000d7fecf in RasterizeStroke(agg::rasterizer_scanline_aa&, agg::path_storage&, CFX_Matrix const*, CFX_GraphStateData const*, float, int, int) [clone .isra.58] [clone .constprop.71] ()
#4  0x0000000000d819a3 in CFX_AggDeviceDriver::DrawPath(CFX_PathData const*, CFX_Matrix const*, CFX_GraphStateData const*, unsigned int, unsigned int, int, int, void*, int) [clone .part.59] ()
#5  0x0000000000e74fad in CFX_RenderDevice::DrawPath(CFX_PathData const*, CFX_Matrix const*, CFX_GraphStateData const*, unsigned int, unsigned int, int, int, void*, int) ()
#6  0x00000000007542fb in CPDF_RenderStatus::ProcessPath(CPDF_PathObject*, CFX_Matrix const*) ()

=> 0xd89fe0 <_ZN3agg10outline_aa11render_lineEiiii+12064>:      mov    %rax,(%rcx)

rcx            0x40bf000        67891200

 
Owner: jun_f...@foxitsoftware.com
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Feb 22 2015

Labels: Missing_Severity-1 Missing_Impact-1
Labels: -Missing_Severity-1 -Missing_Impact-1 Security_Severity-High Security_Impact-Stable
Project Member

Comment 4 by ClusterFuzz, Feb 24 2015

Labels: M-41
Project Member

Comment 5 by ClusterFuzz, Mar 5 2015

Labels: Nag
jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 6 by ClusterFuzz, Mar 19 2015

jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 7 by ClusterFuzz, Apr 3 2015

Labels: -M-41 M-42
jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 43 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Status: Started
Seem that this issue has been fixed in the last version of pdfium. I failed to reproduce it. Michal, can you try to reproduce this issue in the last version of pdfium?  

Comment 10 by lcamtuf@google.com, Apr 11 2015

I can check on Monday, but have you tried setting ulimit? I suspect that the right value may differ from system to system, but somewhere between 100 and 150 should probably do the trick.
Thanks for the information. Now I can reproduce it with tried the ulimit, 100.
The root cause of this issue is not checking whether memory is allocated successfully or not. I tried to fix this crashier but it will crash on somewhere else. So it's not a minor change but need to add a checking for the result of memory allocation.
Project Member

Comment 13 by ClusterFuzz, Apr 28 2015

jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 14 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 14 by ClusterFuzz, May 12 2015

jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 28 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 15 by ClusterFuzz, May 15 2015

Labels: -M-42 M-43
 Issue 465437  has been merged into this issue.
Mergedinto: 446032
Status: Duplicate
This should be addressed once https://codereview.chromium.org/1147533003/ lands, so I'm going to mark all of the pdfium OOM bugs as duplicates of  issue 446032 .
Project Member

Comment 18 by ClusterFuzz, Aug 22 2015

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment