Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users
Status: Fixed
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
ZDI-CAN-3594: New Vulnerability Report
Reported by zdi-disc...@hp.com, Mar 3 2016 Back to list
Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability
 
ZDI-CAN-3594.zip
106 KB Download
Labels: -Type-Bug Restrict-View-SecurityTeam Type-Bug-Security
Adding view restrictions. Please make sure to use the correct template when filing security bugs.
I'm chatting to a contact at ZDI - they are apparently running into some form length limits on submission.
Cc: timwillis@chromium.org
Attached files from the zip. Be careful with the POC as it hasn't been checked.
ZDI-CAN-3594.pcap
63.5 KB Download
poc.pdf
57.0 KB Download
Components: Internals>Plugins>PDF
Owner: och...@chromium.org
Status: Assigned
Cc: jialiul@chromium.org
Labels: Security_Severity-High Security_Impact-Head
Comment 8 by zdi-disc...@hp.com, Mar 4 2016
ZDI-CAN-3594:  Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability


-- CVSS -----------------------------------------

4.3, AV:N/AC:M/Au:N/C:P/I:N/A:N


-- ABSTRACT -------------------------------------

HP's Zero Day Initiative has identified a vulnerability affecting the following products:

  Google Chrome


-- VULNERABILITY DETAILS ------------------------

Tested on win8.1 32 bit / Google Chrome Canary 51.0.2665.0:

This is an out of bound read when parsing jpeg2000 images inside a pdf:

```

(d40.81c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00020000 ebx=00000000 ecx=08fc9f60 edx=09dc1000 esi=07832fe8 edi=00000000
eip=5921f947 esp=0094edd0 ebp=0094ee1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_child!CJPX_Decoder::Decode+0x229:
5921f947 8b1482          mov     edx,dword ptr [edx+eax*4] ds:0023:09e41000=????????
5:049> kvb
ChildEBP RetAddr  Args to Child              
0094ee1c 5921f71a 00000000 00000600 00000200 chrome_child!CJPX_Decoder::Decode+0x229 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]
0094ee30 5920f7dd 07832fe8 0a0c0ff8 00000600 chrome_child!CCodec_JpxModule::Decode+0x14 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 884]
0094ee7c 5920dfdf 055e0f98 055e0f70 08e88fe0 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x1d3 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 753]
0094eea8 59210070 057a3fe0 08dc4fd8 057a3fe8 chrome_child!CPDF_DIBSource::CreateDecoder+0x1fa (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 654]
0094eecc 591fbcee 0792cfa8 08e88fe0 00000001 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x15f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 374]
0094eef8 591fbd8e 00000000 08e08fe8 00000000 chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x60 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 283]
0094ef30 5920fe84 08e88fe0 00000000 00000000 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0x76 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 124]
0094ef60 5920fe3b 08e32fb8 08e9cfb8 057a3fe0 chrome_child!CPDF_ImageLoaderHandle::Start+0x44 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1576]
0094ef90 591fd854 08e9cfb8 057a3fe0 08e32ff4 chrome_child!CPDF_ImageLoader::Start+0x51 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1637]
0094efe8 591fd2f6 08e9cfb8 0587af50 08dc8fe4 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0x70 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 335]
0094effc 591d5d07 0587af50 08e9cfb8 08dc8fe4 chrome_child!CPDF_ImageRenderer::Start+0x6b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 475]
5:049> r
eax=00020000 ebx=00000000 ecx=08fc9f60 edx=09dc1000 esi=07832fe8 edi=00000000
eip=5921f947 esp=0094edd0 ebp=0094ee1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_child!CJPX_Decoder::Decode+0x229:
5921f947 8b1482          mov     edx,dword ptr [edx+eax*4] ds:0023:09e41000=????????
5:049> u
chrome_child!CJPX_Decoder::Decode+0x229 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]:
5921f947 8b1482          mov     edx,dword ptr [edx+eax*4]
5921f94a 8b4508          mov     eax,dword ptr [ebp+8]
5921f94d 395c0120        cmp     dword ptr [ecx+eax+20h],ebx
5921f951 740c            je      chrome_child!CJPX_Decoder::Decode+0x241 (5921f95f)
5921f953 8b4c0118        mov     ecx,dword ptr [ecx+eax+18h]
5921f957 33c0            xor     eax,eax
5921f959 49              dec     ecx
5921f95a 40              inc     eax
5:049> uf .
chrome_child!CJPX_Decoder::Decode [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 789]:
  789 5921f71e 55              push    ebp
  789 5921f71f 8bec            mov     ebp,esp
  789 5921f721 83ec40          sub     esp,40h
  789 5921f724 56              push    esi
  789 5921f725 8bf1            mov     esi,ecx
  789 5921f727 57              push    edi
  790 5921f728 8b4608          mov     eax,dword ptr [esi+8]
  790 5921f72b 8b4818          mov     ecx,dword ptr [eax+18h]
  790 5921f72e 8b7908          mov     edi,dword ptr [ecx+8]
  790 5921f731 3b7808          cmp     edi,dword ptr [eax+8]
  790 5921f734 0f85de020000    jne     chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18)

chrome_child!CJPX_Decoder::Decode+0x1c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 790]:
  790 5921f73a 8b500c          mov     edx,dword ptr [eax+0Ch]
  790 5921f73d 39510c          cmp     dword ptr [ecx+0Ch],edx
  790 5921f740 0f85d2020000    jne     chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18)

chrome_child!CJPX_Decoder::Decode+0x28 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 793]:
  793 5921f746 8b4010          mov     eax,dword ptr [eax+10h]
  793 5921f749 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
  793 5921f74c 0fafc7          imul    eax,edi
  793 5921f74f 8d04c51f000000  lea     eax,[eax*8+1Fh]
  793 5921f756 c1f803          sar     eax,3
  793 5921f759 83e0fc          and     eax,0FFFFFFFCh
  793 5921f75c 3bc8            cmp     ecx,eax
  793 5921f75e 0f8cb4020000    jl      chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18)

chrome_child!CJPX_Decoder::Decode+0x46 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 796]:
  796 5921f764 0fafd1          imul    edx,ecx
  796 5921f767 53              push    ebx
  796 5921f768 52              push    edx
  796 5921f769 68ff000000      push    0FFh
  796 5921f76e ff7508          push    dword ptr [ebp+8]
  796 5921f771 e8ca2267fe      call    chrome_child!memset (57891a40)
  797 5921f776 8b4608          mov     eax,dword ptr [esi+8]
  797 5921f779 8d4dc0          lea     ecx,[ebp-40h]
  797 5921f77c 83c40c          add     esp,0Ch
  797 5921f77f ff7010          push    dword ptr [eax+10h]
  797 5921f782 e8abfeffff      call    chrome_child!std::vector<unsigned char *,std::allocator<unsigned char *> >::vector<unsigned char *,std::allocator<unsigned char *> > (5921f632)
  798 5921f787 8b4608          mov     eax,dword ptr [esi+8]
  798 5921f78a 8d4dcc          lea     ecx,[ebp-34h]
  798 5921f78d ff7010          push    dword ptr [eax+10h]
  798 5921f790 e8df80cefe      call    chrome_child!std::vector<int,std::allocator<int> >::vector<int,std::allocator<int> > (57f07874)
  799 5921f795 8b4608          mov     eax,dword ptr [esi+8]
  799 5921f798 33db            xor     ebx,ebx
  799 5921f79a 8b55cc          mov     edx,dword ptr [ebp-34h]
  799 5921f79d 8bfb            mov     edi,ebx
  799 5921f79f 8955f4          mov     dword ptr [ebp-0Ch],edx
  799 5921f7a2 395810          cmp     dword ptr [eax+10h],ebx
  799 5921f7a5 767c            jbe     chrome_child!CJPX_Decoder::Decode+0x105 (5921f823)

chrome_child!CJPX_Decoder::Decode+0x89 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]:
  799 5921f7a7 8b45c0          mov     eax,dword ptr [ebp-40h]
  799 5921f7aa 8bcb            mov     ecx,ebx
  799 5921f7ac 2bc2            sub     eax,edx
  799 5921f7ae 8955f0          mov     dword ptr [ebp-10h],edx
  799 5921f7b1 8945e4          mov     dword ptr [ebp-1Ch],eax

chrome_child!CJPX_Decoder::Decode+0x96 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 800]:
  800 5921f7b4 8b4510          mov     eax,dword ptr [ebp+10h]
  800 5921f7b7 8b5de4          mov     ebx,dword ptr [ebp-1Ch]
  802 5921f7ba 6a00            push    0
  802 5921f7bc 8b00            mov     eax,dword ptr [eax]
  802 5921f7be 0fb60438        movzx   eax,byte ptr [eax+edi]
  802 5921f7c2 034508          add     eax,dword ptr [ebp+8]
  802 5921f7c5 890413          mov     dword ptr [ebx+edx],eax
  802 5921f7c8 8b4608          mov     eax,dword ptr [esi+8]
  802 5921f7cb 5b              pop     ebx
  802 5921f7cc 8b4018          mov     eax,dword ptr [eax+18h]
  802 5921f7cf 8b440818        mov     eax,dword ptr [eax+ecx+18h]
  802 5921f7d3 83e808          sub     eax,8
  802 5921f7d6 8902            mov     dword ptr [edx],eax
  802 5921f7d8 85ff            test    edi,edi
  802 5921f7da 7432            je      chrome_child!CJPX_Decoder::Decode+0xf0 (5921f80e)

chrome_child!CJPX_Decoder::Decode+0xbe [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]:
  805 5921f7dc 8b4608          mov     eax,dword ptr [esi+8]
  805 5921f7df 8b5018          mov     edx,dword ptr [eax+18h]
  805 5921f7e2 8b040a          mov     eax,dword ptr [edx+ecx]
  805 5921f7e5 3b440acc        cmp     eax,dword ptr [edx+ecx-34h]
  805 5921f7e9 0f8514020000    jne     chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03)

chrome_child!CJPX_Decoder::Decode+0xd1 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]:
  805 5921f7ef 8b440a04        mov     eax,dword ptr [edx+ecx+4]
  805 5921f7f3 3b440ad0        cmp     eax,dword ptr [edx+ecx-30h]
  805 5921f7f7 0f8506020000    jne     chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03)

chrome_child!CJPX_Decoder::Decode+0xdf [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]:
  805 5921f7fd 8b440a18        mov     eax,dword ptr [edx+ecx+18h]
  805 5921f801 3b440ae4        cmp     eax,dword ptr [edx+ecx-1Ch]
  805 5921f805 0f85f8010000    jne     chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03)

chrome_child!CJPX_Decoder::Decode+0xed [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]:
  805 5921f80b 8b55f0          mov     edx,dword ptr [ebp-10h]

chrome_child!CJPX_Decoder::Decode+0xf0 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]:
  799 5921f80e 8b4608          mov     eax,dword ptr [esi+8]
  799 5921f811 47              inc     edi
  799 5921f812 83c204          add     edx,4
  799 5921f815 83c134          add     ecx,34h
  799 5921f818 8955f0          mov     dword ptr [ebp-10h],edx
  799 5921f81b 3b7810          cmp     edi,dword ptr [eax+10h]
  799 5921f81e 7294            jb      chrome_child!CJPX_Decoder::Decode+0x96 (5921f7b4)

chrome_child!CJPX_Decoder::Decode+0x102 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]:
  799 5921f820 8b55cc          mov     edx,dword ptr [ebp-34h]

chrome_child!CJPX_Decoder::Decode+0x105 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 810]:
  810 5921f823 8b4e08          mov     ecx,dword ptr [esi+8]
  812 5921f826 895de4          mov     dword ptr [ebp-1Ch],ebx
  812 5921f829 8b4118          mov     eax,dword ptr [ecx+18h]
  812 5921f82c 8b7808          mov     edi,dword ptr [eax+8]
  812 5921f82f 8b400c          mov     eax,dword ptr [eax+0Ch]
  812 5921f832 897d10          mov     dword ptr [ebp+10h],edi
  812 5921f835 8945f8          mov     dword ptr [ebp-8],eax
  812 5921f838 395910          cmp     dword ptr [ecx+10h],ebx
  812 5921f83b 0f86c0010000    jbe     chrome_child!CJPX_Decoder::Decode+0x2e3 (5921fa01)

chrome_child!CJPX_Decoder::Decode+0x123 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 812]:
  812 5921f841 8b4dc0          mov     ecx,dword ptr [ebp-40h]
  812 5921f844 8bc3            mov     eax,ebx
  812 5921f846 2bca            sub     ecx,edx
  812 5921f848 895d08          mov     dword ptr [ebp+8],ebx
  812 5921f84b 894dd8          mov     dword ptr [ebp-28h],ecx

chrome_child!CJPX_Decoder::Decode+0x130 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 813]:
  813 5921f84e 8b0c0a          mov     ecx,dword ptr [edx+ecx]
  813 5921f851 894dfc          mov     dword ptr [ebp-4],ecx
  814 5921f854 391a            cmp     dword ptr [edx],ebx
  814 5921f856 0f8da8000000    jge     chrome_child!CJPX_Decoder::Decode+0x1e6 (5921f904)

chrome_child!CJPX_Decoder::Decode+0x13e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]:
  815 5921f85c 837df800        cmp     dword ptr [ebp-8],0
  815 5921f860 0f8e76010000    jle     chrome_child!CJPX_Decoder::Decode+0x2be (5921f9dc)

chrome_child!CJPX_Decoder::Decode+0x148 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]:
  815 5921f866 8b4df8          mov     ecx,dword ptr [ebp-8]
  815 5921f869 8bc3            mov     eax,ebx
  815 5921f86b 894de8          mov     dword ptr [ebp-18h],ecx
  815 5921f86e 8b4d10          mov     ecx,dword ptr [ebp+10h]
  815 5921f871 8945ec          mov     dword ptr [ebp-14h],eax

chrome_child!CJPX_Decoder::Decode+0x156 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]:
  817 5921f874 8bfb            mov     edi,ebx
  817 5921f876 85c9            test    ecx,ecx
  817 5921f878 7e6c            jle     chrome_child!CJPX_Decoder::Decode+0x1c8 (5921f8e6)

chrome_child!CJPX_Decoder::Decode+0x15c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 816]:
  816 5921f87a 8945f0          mov     dword ptr [ebp-10h],eax

chrome_child!CJPX_Decoder::Decode+0x15f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 818]:
  818 5921f87d 8b4608          mov     eax,dword ptr [esi+8]
  818 5921f880 8b4810          mov     ecx,dword ptr [eax+10h]
  819 5921f883 8b4018          mov     eax,dword ptr [eax+18h]

Comment 9 by zdi-disc...@hp.com, Mar 4 2016
819 5921f886 0fafcf          imul    ecx,edi
  819 5921f889 8945e0          mov     dword ptr [ebp-20h],eax
  819 5921f88c 034dfc          add     ecx,dword ptr [ebp-4]
  819 5921f88f 894df4          mov     dword ptr [ebp-0Ch],ecx
  819 5921f892 8b4d08          mov     ecx,dword ptr [ebp+8]
  819 5921f895 8b44082c        mov     eax,dword ptr [eax+ecx+2Ch]
  819 5921f899 8b4df0          mov     ecx,dword ptr [ebp-10h]
  819 5921f89c 8b0401          mov     eax,dword ptr [ecx+eax]
  822 5921f89f 8b4d08          mov     ecx,dword ptr [ebp+8]
  822 5921f8a2 8945dc          mov     dword ptr [ebp-24h],eax
  822 5921f8a5 8b45e0          mov     eax,dword ptr [ebp-20h]
  822 5921f8a8 395c0820        cmp     dword ptr [eax+ecx+20h],ebx
  822 5921f8ac 740c            je      chrome_child!CJPX_Decoder::Decode+0x19c (5921f8ba)

chrome_child!CJPX_Decoder::Decode+0x190 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 822]:
  822 5921f8ae 8b4c0818        mov     ecx,dword ptr [eax+ecx+18h]
  822 5921f8b2 33c0            xor     eax,eax
  822 5921f8b4 49              dec     ecx
  822 5921f8b5 40              inc     eax
  822 5921f8b6 d3e0            shl     eax,cl
  822 5921f8b8 eb02            jmp     chrome_child!CJPX_Decoder::Decode+0x19e (5921f8bc)

chrome_child!CJPX_Decoder::Decode+0x19c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 822]:
  822 5921f8ba 8bc3            mov     eax,ebx

chrome_child!CJPX_Decoder::Decode+0x19e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 823]:
  823 5921f8bc 833a00          cmp     dword ptr [edx],0
  823 5921f8bf 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
  823 5921f8c2 7e04            jle     chrome_child!CJPX_Decoder::Decode+0x1aa (5921f8c8)

chrome_child!CJPX_Decoder::Decode+0x1a6 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 824]:
  824 5921f8c4 8819            mov     byte ptr [ecx],bl
  825 5921f8c6 eb0e            jmp     chrome_child!CJPX_Decoder::Decode+0x1b8 (5921f8d6)

chrome_child!CJPX_Decoder::Decode+0x1aa [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 826]:
  826 5921f8c8 8b0a            mov     ecx,dword ptr [edx]
  826 5921f8ca 0245dc          add     al,byte ptr [ebp-24h]
  826 5921f8cd f7d9            neg     ecx
  826 5921f8cf d2e0            shl     al,cl
  826 5921f8d1 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
  826 5921f8d4 8801            mov     byte ptr [ecx],al

chrome_child!CJPX_Decoder::Decode+0x1b8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]:
  817 5921f8d6 8345f004        add     dword ptr [ebp-10h],4
  817 5921f8da 47              inc     edi
  817 5921f8db 3b7d10          cmp     edi,dword ptr [ebp+10h]
  817 5921f8de 7c9d            jl      chrome_child!CJPX_Decoder::Decode+0x15f (5921f87d)

chrome_child!CJPX_Decoder::Decode+0x1c2 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]:
  817 5921f8e0 8b45ec          mov     eax,dword ptr [ebp-14h]
  817 5921f8e3 8b4d10          mov     ecx,dword ptr [ebp+10h]

chrome_child!CJPX_Decoder::Decode+0x1c8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]:
  815 5921f8e6 8b7d0c          mov     edi,dword ptr [ebp+0Ch]
  815 5921f8e9 017dfc          add     dword ptr [ebp-4],edi
  815 5921f8ec 8bf9            mov     edi,ecx
  815 5921f8ee c1e702          shl     edi,2
  815 5921f8f1 03c7            add     eax,edi
  815 5921f8f3 ff4de8          dec     dword ptr [ebp-18h]
  815 5921f8f6 8945ec          mov     dword ptr [ebp-14h],eax
  815 5921f8f9 0f8575ffffff    jne     chrome_child!CJPX_Decoder::Decode+0x156 (5921f874)

chrome_child!CJPX_Decoder::Decode+0x1e1 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 829]:
  829 5921f8ff e9d5000000      jmp     chrome_child!CJPX_Decoder::Decode+0x2bb (5921f9d9)

chrome_child!CJPX_Decoder::Decode+0x1e6 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]:
  831 5921f904 837df800        cmp     dword ptr [ebp-8],0
  831 5921f908 0f8ece000000    jle     chrome_child!CJPX_Decoder::Decode+0x2be (5921f9dc)

chrome_child!CJPX_Decoder::Decode+0x1f0 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]:
  831 5921f90e 8b55f8          mov     edx,dword ptr [ebp-8]
  831 5921f911 8bc3            mov     eax,ebx
  831 5921f913 8945f0          mov     dword ptr [ebp-10h],eax
  831 5921f916 8955ec          mov     dword ptr [ebp-14h],edx

chrome_child!CJPX_Decoder::Decode+0x1fb [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]:
  833 5921f919 837d1000        cmp     dword ptr [ebp+10h],0
  833 5921f91d 8bfb            mov     edi,ebx
  833 5921f91f 0f8e9b000000    jle     chrome_child!CJPX_Decoder::Decode+0x2a2 (5921f9c0)

chrome_child!CJPX_Decoder::Decode+0x207 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 834]:
  834 5921f925 8b4608          mov     eax,dword ptr [esi+8]
  834 5921f928 8b4810          mov     ecx,dword ptr [eax+10h]
  834 5921f92b 0fafcf          imul    ecx,edi
  834 5921f92e 034dfc          add     ecx,dword ptr [ebp-4]
  834 5921f931 894de8          mov     dword ptr [ebp-18h],ecx
  835 5921f934 8b4818          mov     ecx,dword ptr [eax+18h]
  835 5921f937 8b4508          mov     eax,dword ptr [ebp+8]
  835 5921f93a 8b54012c        mov     edx,dword ptr [ecx+eax+2Ch]
  835 5921f93e 85d2            test    edx,edx
  835 5921f940 746b            je      chrome_child!CJPX_Decoder::Decode+0x28f (5921f9ad)

chrome_child!CJPX_Decoder::Decode+0x224 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]:
  838 5921f942 8b45f0          mov     eax,dword ptr [ebp-10h]
  838 5921f945 03c7            add     eax,edi
  838 5921f947 8b1482          mov     edx,dword ptr [edx+eax*4]
  841 5921f94a 8b4508          mov     eax,dword ptr [ebp+8]
  841 5921f94d 395c0120        cmp     dword ptr [ecx+eax+20h],ebx
  841 5921f951 740c            je      chrome_child!CJPX_Decoder::Decode+0x241 (5921f95f)

chrome_child!CJPX_Decoder::Decode+0x235 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]:
  841 5921f953 8b4c0118        mov     ecx,dword ptr [ecx+eax+18h]
  841 5921f957 33c0            xor     eax,eax
  841 5921f959 49              dec     ecx
  841 5921f95a 40              inc     eax
  841 5921f95b d3e0            shl     eax,cl
  841 5921f95d eb02            jmp     chrome_child!CJPX_Decoder::Decode+0x243 (5921f961)

chrome_child!CJPX_Decoder::Decode+0x241 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]:
  841 5921f95f 8bc3            mov     eax,ebx

chrome_child!CJPX_Decoder::Decode+0x243 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]:
  841 5921f961 03d0            add     edx,eax
  842 5921f963 8b45f4          mov     eax,dword ptr [ebp-0Ch]
  842 5921f966 8b00            mov     eax,dword ptr [eax]
  842 5921f968 8945dc          mov     dword ptr [ebp-24h],eax
  842 5921f96b 8d48ff          lea     ecx,[eax-1]
  842 5921f96e 85c9            test    ecx,ecx
  842 5921f970 790b            jns     chrome_child!CJPX_Decoder::Decode+0x25f (5921f97d)

chrome_child!CJPX_Decoder::Decode+0x254 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 843]:
  843 5921f972 8bc8            mov     ecx,eax
  843 5921f974 d3fa            sar     edx,cl
  843 5921f976 8b4de8          mov     ecx,dword ptr [ebp-18h]
  843 5921f979 8811            mov     byte ptr [ecx],dl
  844 5921f97b eb30            jmp     chrome_child!CJPX_Decoder::Decode+0x28f (5921f9ad)

chrome_child!CJPX_Decoder::Decode+0x25f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]:
  846 5921f97d 8bc2            mov     eax,edx
  846 5921f97f d3f8            sar     eax,cl
  846 5921f981 2501000080      and     eax,80000001h
  846 5921f986 7905            jns     chrome_child!CJPX_Decoder::Decode+0x26f (5921f98d)

chrome_child!CJPX_Decoder::Decode+0x26a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]:
  846 5921f988 48              dec     eax
  846 5921f989 83c8fe          or      eax,0FFFFFFFEh
  846 5921f98c 40              inc     eax

chrome_child!CJPX_Decoder::Decode+0x26f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]:
  846 5921f98d 8b4ddc          mov     ecx,dword ptr [ebp-24h]
  846 5921f990 d3fa            sar     edx,cl
  847 5921f992 b9ff000000      mov     ecx,0FFh
  847 5921f997 03c2            add     eax,edx
  847 5921f999 3bc1            cmp     eax,ecx
  847 5921f99b 7e04            jle     chrome_child!CJPX_Decoder::Decode+0x283 (5921f9a1)

chrome_child!CJPX_Decoder::Decode+0x27f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 848]:
  848 5921f99d 8bc1            mov     eax,ecx
  848 5921f99f eb07            jmp     chrome_child!CJPX_Decoder::Decode+0x28a (5921f9a8)

chrome_child!CJPX_Decoder::Decode+0x283 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 849]:
  849 5921f9a1 33c9            xor     ecx,ecx
  849 5921f9a3 85c0            test    eax,eax
  849 5921f9a5 0f48c1          cmovs   eax,ecx

chrome_child!CJPX_Decoder::Decode+0x28a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 852]:
  852 5921f9a8 8b4de8          mov     ecx,dword ptr [ebp-18h]
  852 5921f9ab 8801            mov     byte ptr [ecx],al

chrome_child!CJPX_Decoder::Decode+0x28f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]:
  833 5921f9ad 47              inc     edi
  833 5921f9ae 3b7d10          cmp     edi,dword ptr [ebp+10h]
  833 5921f9b1 0f8c6effffff    jl      chrome_child!CJPX_Decoder::Decode+0x207 (5921f925)

chrome_child!CJPX_Decoder::Decode+0x299 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]:
  833 5921f9b7 8b45f0          mov     eax,dword ptr [ebp-10h]
  833 5921f9ba 8b4dfc          mov     ecx,dword ptr [ebp-4]
  833 5921f9bd 8b55ec          mov     edx,dword ptr [ebp-14h]

chrome_child!CJPX_Decoder::Decode+0x2a2 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]:
  831 5921f9c0 034d0c          add     ecx,dword ptr [ebp+0Ch]
  831 5921f9c3 034510          add     eax,dword ptr [ebp+10h]
  831 5921f9c6 4a              dec     edx
  831 5921f9c7 894dfc          mov     dword ptr [ebp-4],ecx
  831 5921f9ca 8945f0          mov     dword ptr [ebp-10h],eax
  831 5921f9cd 8955ec          mov     dword ptr [ebp-14h],edx
  831 5921f9d0 0f8543ffffff    jne     chrome_child!CJPX_Decoder::Decode+0x1fb (5921f919)

chrome_child!CJPX_Decoder::Decode+0x2b8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]:
  831 5921f9d6 8b55f4          mov     edx,dword ptr [ebp-0Ch]

chrome_child!CJPX_Decoder::Decode+0x2bb [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]:
  831 5921f9d9 8b4508          mov     eax,dword ptr [ebp+8]

chrome_child!CJPX_Decoder::Decode+0x2be [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 812]:
  812 5921f9dc 8b4de4          mov     ecx,dword ptr [ebp-1Ch]
  812 5921f9df 83c034          add     eax,34h
  812 5921f9e2 894508          mov     dword ptr [ebp+8],eax
  812 5921f9e5 41              inc     ecx
  812 5921f9e6 8b4608          mov     eax,dword ptr [esi+8]
  812 5921f9e9 83c204          add     edx,4
  812 5921f9ec 894de4          mov     dword ptr [ebp-1Ch],ecx
  812 5921f9ef 8955f4          mov     dword ptr [ebp-0Ch],edx
  812 5921f9f2 3b4810          cmp     ecx,dword ptr [eax+10h]
  812 5921f9f5 8b4508          mov     eax,dword ptr [ebp+8]
  812 5921f9f8 8b4dd8          mov     ecx,dword ptr [ebp-28h]
  812 5921f9fb 0f824dfeffff    jb      chrome_child!CJPX_Decoder::Decode+0x130 (5921f84e)

chrome_child!CJPX_Decoder::Decode+0x2e3 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 858]:
  858 5921fa01 b301            mov     bl,1

chrome_child!CJPX_Decoder::Decode+0x2e5 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 858]:
  858 5921fa03 8d4dcc          lea     ecx,[ebp-34h]
  858 5921fa06 e8341169fe      call    chrome_child!std::vector<HINSTANCE__ *,std::allocator<HINSTANCE__ *> >::_Tidy (578b0b3f)
  858 5921fa0b 8d4dc0          lea     ecx,[ebp-40h]
  858 5921fa0e e88d6368fe      call    chrome_child!std::vector<std::_List_unchecked_iterator<std::_List_val<std::_List_simple_types<std::pair<int const ,media::WebMediaPlayerDelegate::Observer *> > > >,std::_Wrap_alloc<std::allocator<std::_List_unchecked_iterator<std::_List_val<std::_List_simple_types<std::pair<int const ,media::WebMediaPlayerDelegate::Observer *> > > > > > >::_Tidy (578a5da0)
  858 5921fa13 8ac3            mov     al,bl
  858 5921fa15 5b              pop     ebx
  858 5921fa16 eb02            jmp     chrome_child!CJPX_Decoder::Decode+0x2fc (5921fa1a)

chrome_child!CJPX_Decoder::Decode+0x2fa [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 791]:
  791 5921fa18 32c0            xor     al,al

chrome_child!CJPX_Decoder::Decode+0x2fc [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 791]:
  791 5921fa1a 5f              pop     edi
  791 5921fa1b 5e              pop     esi
  859 5921fa1c 8be5            mov     esp,ebp
  859 5921fa1e 5d              pop     ebp
  859 5921fa1f c20c00          ret     0Ch

3:041> .reload
Reloading current modules
.................................................
3:041> r
eax=00020000 ebx=00000000 ecx=08db2f60 edx=09bb1000 esi=08c5efe8 edi=00000000
eip=58423528 esp=0062f000 ebp=0062f04c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_child!CJPX_Decoder::Decode+0x229:
58423528 8b1482          mov     edx,dword ptr [edx+eax*4] ds:0023:09c31000=????????
3:041> kvb
ChildEBP RetAddr  Args to Child              
0062f04c 584232fb 00000000 00000600 00000200 chrome_child!CJPX_Decoder::Decode+0x229 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]
0062f060 58413327 08c5efe8 09eb0ff8 00000600 chrome_child!CCodec_JpxModule::Decode+0x14 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 884]
0062f0ac 58411b29 08b8af98 08b8af70 08c86fe0 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x1d3 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 753]
0062f0d8 58413bba 04e3efe0 055c3fd8 04e3efe8 chrome_child!CPDF_DIBSource::CreateDecoder+0x1fa (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 654]
0062f0fc 583ff814 0771cfa8 08c86fe0 00000001 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x15f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 374]
0062f128 583ff8b4 00000000 08c06fe8 00000000 chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x60 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 283]
0062f160 584139ce 08c86fe0 00000000 00000000 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0x76 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 124]
0062f190 58413985 05102fb8 08c9afb8 04e3efe0 chrome_child!CPDF_ImageLoaderHandle::Start+0x44 (FPO: [Non-Fpo]) (CONV: thiscall) 
[c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1576]
0062f1c0 5840137a 08c9afb8 04e3efe0 05102ff4 chrome_child!CPDF_ImageLoader::Start+0x51 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1637]
0062f218 58400e1c 08c9afb8 08d7cf50 08ccefe4 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0x70 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 335]
0062f22c 583d914d 08d7cf50 08c9afb8 08ccefe4 chrome_child!CPDF_ImageRenderer::Start+0x6b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 475]
3:041> u
chrome_child!CJPX_Decoder::Decode+0x229 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]:
58423528 8b1482          mov     edx,dword ptr [edx+eax*4]
5842352b 8b4508          mov     eax,dword ptr [ebp+8]
5842352e 395c0120        cmp     dword ptr [ecx+eax+20h],ebx
58423532 740c            je      chrome_child!CJPX_Decoder::Decode+0x241 (58423540)
58423534 8b4c0118        mov     ecx,dword ptr [ecx+eax+18h]
58423538 33c0            xor     eax,eax
5842353a 49              dec     ecx
5842353b 40              inc     eax
3:041> u
chrome_child!CJPX_Decoder::Decode+0x23d [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]:
5842353c d3e0            shl     eax,cl
5842353e eb02            jmp     chrome_child!CJPX_Decoder::Decode+0x243 (58423542)
58423540 8bc3            mov     eax,ebx
58423542 03d0            add     edx,eax
58423544 8b45f4          mov     eax,dword ptr [ebp-0Ch]
58423547 8b00            mov     eax,dword ptr [eax]
58423549 8945dc          mov     dword ptr [ebp-24h],eax
5842354c 8d48ff          lea     ecx,[eax-1]
3:041> ub @eip
chrome_child!CJPX_Decoder::Decode+0x213 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 834]:
58423512 894de8          mov     dword ptr [ebp-18h],ecx
58423515 8b4818          mov     ecx,dword ptr [eax+18h]
58423518 8b4508          mov     eax,dword ptr [ebp+8]
5842351b 8b54012c        mov     edx,dword ptr [ecx+eax+2Ch]
5842351f 85d2            test    edx,edx
58423521 746b            je      chrome_child!CJPX_Decoder::Decode+0x28f (5842358e)
58423523 8b45f0          mov     eax,dword ptr [ebp-10h]
58423526 03c7            add     eax,edi
3:041> r
eax=00020000 ebx=00000000 ecx=08db2f60 edx=09bb1000 esi=08c5efe8 edi=00000000
eip=58423528 esp=0062f000 ebp=0062f04c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
chrome_child!CJPX_Decoder::Decode+0x229:
58423528 8b1482          mov     edx,dword ptr [edx+eax*4] ds:0023:09c31000=????????
3:041> lmvm chrome_child
start    end        module name
56a90000 596a9000   chrome_child   (private pdb symbols)  c:\code\symbols\chrome_child.dll.pdb\B7CE6286E9134BAA849C284AC4E929B11\chrome_child.dll.pdb
    Loaded symbol image file: C:\Users\ZDI\AppData\Local\Google\Chrome SxS\Application\51.0.2665.0\chrome_child.dll
    Image path: C:\Users\ZDI\AppData\Local\Google\Chrome SxS\Application\51.0.2665.0\chrome_child.dll
    Image name: chrome_child.dll
    Timestamp:        Tue Mar 01 21:46:20 2016 (56D67E2C)
    CheckSum:         02AB798E
    ImageSize:        02C19000
    File version:     51.0.2665.0
    Product version:  51.0.2665.0
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   51.0.2665.0
    FileVersion:      51.0.2665.0
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2015 Google Inc. All rights reserved.
3:041> vertarget
Windows 7 Version 9200 UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.17031 (winblue_gdr.140221-1952)
Machine Name:
Debug session time: Thu Mar  3 05:57:59.944 2016 (GMT-8)
System Uptime: 0 days 0:10:36.516
Process Uptime: 0 days 0:04:19.317
  Kernel time: 0 days 0:00:00.062
  User time: 0 days 0:00:00.031


```

-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   kdot working with HP's Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 120 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@hpe.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is used. The ZDI does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its HP TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/


Project Member Comment 11 by clusterf...@chromium.org, Mar 4 2016
Labels: M-51
Project Member Comment 12 by clusterf...@chromium.org, Mar 10 2016
Labels: -Pri-2 Pri-1 ReleaseBlock-Beta
This medium+ severity security issue is a regression on trunk.

Please fix this asap. If you are unable to look into this soon, please revert your change.

- Your friendly ClusterFuzz
Project Member Comment 13 by clusterf...@chromium.org, Mar 11 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5740792408178688
Cc: thestig@chromium.org tsepez@chromium.org och...@chromium.org
 Issue 594043  has been merged into this issue.
Project Member Comment 15 by clusterf...@chromium.org, Mar 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f3ef21ea800
Crash State:
  CJPX_Decoder::Decode
  CPDF_DIBSource::LoadJpxBitmap
  CPDF_DIBSource::CreateDecoder
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775

Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.

Cc: jun_f...@foxitsoftware.com
Project Member Comment 18 by bugdroid1@chromium.org, Mar 15 2016
Labels: -ReleaseBlock-Beta -Security_Impact-Head -Security_Severity-High -M-51 Security_Severity-Medium Security_Impact-Stable M-50
Status: Fixed
Project Member Comment 20 by clusterf...@chromium.org, Mar 15 2016
Labels: -Restrict-View-SecurityTeam Merge-Triage M-49 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 21 by clusterf...@chromium.org, Mar 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f3ef21ea800
Crash State:
  CJPX_Decoder::Decode
  CPDF_DIBSource::LoadJpxBitmap
  CPDF_DIBSource::CreateDecoder
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775

Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member Comment 22 by clusterf...@chromium.org, Mar 16 2016
ClusterFuzz has detected this issue as fixed in range 381067:381276.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f3ef21ea800
Crash State:
  CJPX_Decoder::Decode
  CPDF_DIBSource::LoadJpxBitmap
  CPDF_DIBSource::CreateDecoder
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=381067:381276

Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 23 by clusterf...@chromium.org, Mar 16 2016
ClusterFuzz has detected this issue as fixed in range 381067:381276.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x7f3ef21ea800
Crash State:
  CJPX_Decoder::Decode
  CPDF_DIBSource::LoadJpxBitmap
  CPDF_DIBSource::CreateDecoder
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=381067:381276

Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Merge-Request-50
Requesting merge.
Comment 25 by tin...@google.com, Mar 21 2016
Labels: -Merge-Request-50 Merge-Review-50 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Comment 26 by tin...@google.com, Mar 21 2016
Labels: -Merge-Review-50 Merge-Approved-50
Merge approved for M50 (branch 2661). Pls go ahead merge.
Please try to merge your change to M50 branch 2661 asap as we're getting closer to M50 beta candidate cut for this week. Thank you.
Labels: -Merge-Approved-50 merge-merged-2661
merged: https://chromereviews.googleplex.com/385647013/
Project Member Comment 29 by bugdroid1@chromium.org, Mar 22 2016
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=85560

------------------------------------------------------------------
r85560 | ochang@google.com | 2016-03-21T18:29:43.098986Z

-----------------------------------------------------------------
 Issue 598850  has been merged into this issue.
Labels: Merge-Request-49
Are there any more 49s? 
Comment 32 by tin...@google.com, Mar 29 2016
Labels: -Merge-Request-49 Merge-Review-49
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
None planned right now. What's the impact of this medium severity bug? If we are OK waiting till M50, then please remove the Merge-Request-49. If not, please let me know about impact if we want this merged into M49.
There has been 2 duplicates of this bug reported by external people, so I would like to get it merged into M49 in case there is another release.
Labels: -Merge-Triage
Hello - let's get this into M49. Medium-severity externally reported meets the bar for a stable merge, so let's get this in.

If a M49 isn't going again, M50 early stable is due in a few weeks.
Cc: sshru...@google.com
Labels: -Merge-Review-49 Merge-Approved-49
Merge approved for M49 (branch 2623)
Project Member Comment 38 by bugdroid1@chromium.org, Apr 1 2016
Labels: -merge-approved-49 merge-merged-2623
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=86026

------------------------------------------------------------------
r86026 | ochang@google.com | 2016-04-01T20:50:46.527873Z

-----------------------------------------------------------------
Labels: Release-0-M50
Did this make it out in any M49 release? Tagging it with Release-0-M50 for the M50 release notes regardless.
Labels: reward-NA
Labels: CVE-2016-1651
Project Member Comment 42 by sheriffbot@chromium.org, Jun 22 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 43 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 44 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment