Issue metadata
Sign in to add a comment
|
ZDI-CAN-3594: New Vulnerability Report
Reported by
zdi-disc...@hp.com,
Mar 3 2016
|
||||||||||||||||||||||||||||||
Issue descriptionGoogle Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability
,
Mar 3 2016
I'm chatting to a contact at ZDI - they are apparently running into some form length limits on submission.
,
Mar 3 2016
,
Mar 3 2016
,
Mar 3 2016
,
Mar 3 2016
,
Mar 4 2016
ZDI-CAN-3594: Google Chrome Pdfium JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerability -- CVSS ----------------------------------------- 4.3, AV:N/AC:M/Au:N/C:P/I:N/A:N -- ABSTRACT ------------------------------------- HP's Zero Day Initiative has identified a vulnerability affecting the following products: Google Chrome -- VULNERABILITY DETAILS ------------------------ Tested on win8.1 32 bit / Google Chrome Canary 51.0.2665.0: This is an out of bound read when parsing jpeg2000 images inside a pdf: ``` (d40.81c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00020000 ebx=00000000 ecx=08fc9f60 edx=09dc1000 esi=07832fe8 edi=00000000 eip=5921f947 esp=0094edd0 ebp=0094ee1c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 chrome_child!CJPX_Decoder::Decode+0x229: 5921f947 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:09e41000=???????? 5:049> kvb ChildEBP RetAddr Args to Child 0094ee1c 5921f71a 00000000 00000600 00000200 chrome_child!CJPX_Decoder::Decode+0x229 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838] 0094ee30 5920f7dd 07832fe8 0a0c0ff8 00000600 chrome_child!CCodec_JpxModule::Decode+0x14 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 884] 0094ee7c 5920dfdf 055e0f98 055e0f70 08e88fe0 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x1d3 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 753] 0094eea8 59210070 057a3fe0 08dc4fd8 057a3fe8 chrome_child!CPDF_DIBSource::CreateDecoder+0x1fa (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 654] 0094eecc 591fbcee 0792cfa8 08e88fe0 00000001 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x15f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 374] 0094eef8 591fbd8e 00000000 08e08fe8 00000000 chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x60 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 283] 0094ef30 5920fe84 08e88fe0 00000000 00000000 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0x76 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 124] 0094ef60 5920fe3b 08e32fb8 08e9cfb8 057a3fe0 chrome_child!CPDF_ImageLoaderHandle::Start+0x44 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1576] 0094ef90 591fd854 08e9cfb8 057a3fe0 08e32ff4 chrome_child!CPDF_ImageLoader::Start+0x51 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1637] 0094efe8 591fd2f6 08e9cfb8 0587af50 08dc8fe4 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0x70 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 335] 0094effc 591d5d07 0587af50 08e9cfb8 08dc8fe4 chrome_child!CPDF_ImageRenderer::Start+0x6b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 475] 5:049> r eax=00020000 ebx=00000000 ecx=08fc9f60 edx=09dc1000 esi=07832fe8 edi=00000000 eip=5921f947 esp=0094edd0 ebp=0094ee1c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 chrome_child!CJPX_Decoder::Decode+0x229: 5921f947 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:09e41000=???????? 5:049> u chrome_child!CJPX_Decoder::Decode+0x229 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]: 5921f947 8b1482 mov edx,dword ptr [edx+eax*4] 5921f94a 8b4508 mov eax,dword ptr [ebp+8] 5921f94d 395c0120 cmp dword ptr [ecx+eax+20h],ebx 5921f951 740c je chrome_child!CJPX_Decoder::Decode+0x241 (5921f95f) 5921f953 8b4c0118 mov ecx,dword ptr [ecx+eax+18h] 5921f957 33c0 xor eax,eax 5921f959 49 dec ecx 5921f95a 40 inc eax 5:049> uf . chrome_child!CJPX_Decoder::Decode [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 789]: 789 5921f71e 55 push ebp 789 5921f71f 8bec mov ebp,esp 789 5921f721 83ec40 sub esp,40h 789 5921f724 56 push esi 789 5921f725 8bf1 mov esi,ecx 789 5921f727 57 push edi 790 5921f728 8b4608 mov eax,dword ptr [esi+8] 790 5921f72b 8b4818 mov ecx,dword ptr [eax+18h] 790 5921f72e 8b7908 mov edi,dword ptr [ecx+8] 790 5921f731 3b7808 cmp edi,dword ptr [eax+8] 790 5921f734 0f85de020000 jne chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18) chrome_child!CJPX_Decoder::Decode+0x1c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 790]: 790 5921f73a 8b500c mov edx,dword ptr [eax+0Ch] 790 5921f73d 39510c cmp dword ptr [ecx+0Ch],edx 790 5921f740 0f85d2020000 jne chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18) chrome_child!CJPX_Decoder::Decode+0x28 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 793]: 793 5921f746 8b4010 mov eax,dword ptr [eax+10h] 793 5921f749 8b4d0c mov ecx,dword ptr [ebp+0Ch] 793 5921f74c 0fafc7 imul eax,edi 793 5921f74f 8d04c51f000000 lea eax,[eax*8+1Fh] 793 5921f756 c1f803 sar eax,3 793 5921f759 83e0fc and eax,0FFFFFFFCh 793 5921f75c 3bc8 cmp ecx,eax 793 5921f75e 0f8cb4020000 jl chrome_child!CJPX_Decoder::Decode+0x2fa (5921fa18) chrome_child!CJPX_Decoder::Decode+0x46 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 796]: 796 5921f764 0fafd1 imul edx,ecx 796 5921f767 53 push ebx 796 5921f768 52 push edx 796 5921f769 68ff000000 push 0FFh 796 5921f76e ff7508 push dword ptr [ebp+8] 796 5921f771 e8ca2267fe call chrome_child!memset (57891a40) 797 5921f776 8b4608 mov eax,dword ptr [esi+8] 797 5921f779 8d4dc0 lea ecx,[ebp-40h] 797 5921f77c 83c40c add esp,0Ch 797 5921f77f ff7010 push dword ptr [eax+10h] 797 5921f782 e8abfeffff call chrome_child!std::vector<unsigned char *,std::allocator<unsigned char *> >::vector<unsigned char *,std::allocator<unsigned char *> > (5921f632) 798 5921f787 8b4608 mov eax,dword ptr [esi+8] 798 5921f78a 8d4dcc lea ecx,[ebp-34h] 798 5921f78d ff7010 push dword ptr [eax+10h] 798 5921f790 e8df80cefe call chrome_child!std::vector<int,std::allocator<int> >::vector<int,std::allocator<int> > (57f07874) 799 5921f795 8b4608 mov eax,dword ptr [esi+8] 799 5921f798 33db xor ebx,ebx 799 5921f79a 8b55cc mov edx,dword ptr [ebp-34h] 799 5921f79d 8bfb mov edi,ebx 799 5921f79f 8955f4 mov dword ptr [ebp-0Ch],edx 799 5921f7a2 395810 cmp dword ptr [eax+10h],ebx 799 5921f7a5 767c jbe chrome_child!CJPX_Decoder::Decode+0x105 (5921f823) chrome_child!CJPX_Decoder::Decode+0x89 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]: 799 5921f7a7 8b45c0 mov eax,dword ptr [ebp-40h] 799 5921f7aa 8bcb mov ecx,ebx 799 5921f7ac 2bc2 sub eax,edx 799 5921f7ae 8955f0 mov dword ptr [ebp-10h],edx 799 5921f7b1 8945e4 mov dword ptr [ebp-1Ch],eax chrome_child!CJPX_Decoder::Decode+0x96 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 800]: 800 5921f7b4 8b4510 mov eax,dword ptr [ebp+10h] 800 5921f7b7 8b5de4 mov ebx,dword ptr [ebp-1Ch] 802 5921f7ba 6a00 push 0 802 5921f7bc 8b00 mov eax,dword ptr [eax] 802 5921f7be 0fb60438 movzx eax,byte ptr [eax+edi] 802 5921f7c2 034508 add eax,dword ptr [ebp+8] 802 5921f7c5 890413 mov dword ptr [ebx+edx],eax 802 5921f7c8 8b4608 mov eax,dword ptr [esi+8] 802 5921f7cb 5b pop ebx 802 5921f7cc 8b4018 mov eax,dword ptr [eax+18h] 802 5921f7cf 8b440818 mov eax,dword ptr [eax+ecx+18h] 802 5921f7d3 83e808 sub eax,8 802 5921f7d6 8902 mov dword ptr [edx],eax 802 5921f7d8 85ff test edi,edi 802 5921f7da 7432 je chrome_child!CJPX_Decoder::Decode+0xf0 (5921f80e) chrome_child!CJPX_Decoder::Decode+0xbe [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]: 805 5921f7dc 8b4608 mov eax,dword ptr [esi+8] 805 5921f7df 8b5018 mov edx,dword ptr [eax+18h] 805 5921f7e2 8b040a mov eax,dword ptr [edx+ecx] 805 5921f7e5 3b440acc cmp eax,dword ptr [edx+ecx-34h] 805 5921f7e9 0f8514020000 jne chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03) chrome_child!CJPX_Decoder::Decode+0xd1 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]: 805 5921f7ef 8b440a04 mov eax,dword ptr [edx+ecx+4] 805 5921f7f3 3b440ad0 cmp eax,dword ptr [edx+ecx-30h] 805 5921f7f7 0f8506020000 jne chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03) chrome_child!CJPX_Decoder::Decode+0xdf [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]: 805 5921f7fd 8b440a18 mov eax,dword ptr [edx+ecx+18h] 805 5921f801 3b440ae4 cmp eax,dword ptr [edx+ecx-1Ch] 805 5921f805 0f85f8010000 jne chrome_child!CJPX_Decoder::Decode+0x2e5 (5921fa03) chrome_child!CJPX_Decoder::Decode+0xed [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 805]: 805 5921f80b 8b55f0 mov edx,dword ptr [ebp-10h] chrome_child!CJPX_Decoder::Decode+0xf0 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]: 799 5921f80e 8b4608 mov eax,dword ptr [esi+8] 799 5921f811 47 inc edi 799 5921f812 83c204 add edx,4 799 5921f815 83c134 add ecx,34h 799 5921f818 8955f0 mov dword ptr [ebp-10h],edx 799 5921f81b 3b7810 cmp edi,dword ptr [eax+10h] 799 5921f81e 7294 jb chrome_child!CJPX_Decoder::Decode+0x96 (5921f7b4) chrome_child!CJPX_Decoder::Decode+0x102 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 799]: 799 5921f820 8b55cc mov edx,dword ptr [ebp-34h] chrome_child!CJPX_Decoder::Decode+0x105 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 810]: 810 5921f823 8b4e08 mov ecx,dword ptr [esi+8] 812 5921f826 895de4 mov dword ptr [ebp-1Ch],ebx 812 5921f829 8b4118 mov eax,dword ptr [ecx+18h] 812 5921f82c 8b7808 mov edi,dword ptr [eax+8] 812 5921f82f 8b400c mov eax,dword ptr [eax+0Ch] 812 5921f832 897d10 mov dword ptr [ebp+10h],edi 812 5921f835 8945f8 mov dword ptr [ebp-8],eax 812 5921f838 395910 cmp dword ptr [ecx+10h],ebx 812 5921f83b 0f86c0010000 jbe chrome_child!CJPX_Decoder::Decode+0x2e3 (5921fa01) chrome_child!CJPX_Decoder::Decode+0x123 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 812]: 812 5921f841 8b4dc0 mov ecx,dword ptr [ebp-40h] 812 5921f844 8bc3 mov eax,ebx 812 5921f846 2bca sub ecx,edx 812 5921f848 895d08 mov dword ptr [ebp+8],ebx 812 5921f84b 894dd8 mov dword ptr [ebp-28h],ecx chrome_child!CJPX_Decoder::Decode+0x130 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 813]: 813 5921f84e 8b0c0a mov ecx,dword ptr [edx+ecx] 813 5921f851 894dfc mov dword ptr [ebp-4],ecx 814 5921f854 391a cmp dword ptr [edx],ebx 814 5921f856 0f8da8000000 jge chrome_child!CJPX_Decoder::Decode+0x1e6 (5921f904) chrome_child!CJPX_Decoder::Decode+0x13e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]: 815 5921f85c 837df800 cmp dword ptr [ebp-8],0 815 5921f860 0f8e76010000 jle chrome_child!CJPX_Decoder::Decode+0x2be (5921f9dc) chrome_child!CJPX_Decoder::Decode+0x148 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]: 815 5921f866 8b4df8 mov ecx,dword ptr [ebp-8] 815 5921f869 8bc3 mov eax,ebx 815 5921f86b 894de8 mov dword ptr [ebp-18h],ecx 815 5921f86e 8b4d10 mov ecx,dword ptr [ebp+10h] 815 5921f871 8945ec mov dword ptr [ebp-14h],eax chrome_child!CJPX_Decoder::Decode+0x156 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]: 817 5921f874 8bfb mov edi,ebx 817 5921f876 85c9 test ecx,ecx 817 5921f878 7e6c jle chrome_child!CJPX_Decoder::Decode+0x1c8 (5921f8e6) chrome_child!CJPX_Decoder::Decode+0x15c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 816]: 816 5921f87a 8945f0 mov dword ptr [ebp-10h],eax chrome_child!CJPX_Decoder::Decode+0x15f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 818]: 818 5921f87d 8b4608 mov eax,dword ptr [esi+8] 818 5921f880 8b4810 mov ecx,dword ptr [eax+10h] 819 5921f883 8b4018 mov eax,dword ptr [eax+18h]
,
Mar 4 2016
819 5921f886 0fafcf imul ecx,edi 819 5921f889 8945e0 mov dword ptr [ebp-20h],eax 819 5921f88c 034dfc add ecx,dword ptr [ebp-4] 819 5921f88f 894df4 mov dword ptr [ebp-0Ch],ecx 819 5921f892 8b4d08 mov ecx,dword ptr [ebp+8] 819 5921f895 8b44082c mov eax,dword ptr [eax+ecx+2Ch] 819 5921f899 8b4df0 mov ecx,dword ptr [ebp-10h] 819 5921f89c 8b0401 mov eax,dword ptr [ecx+eax] 822 5921f89f 8b4d08 mov ecx,dword ptr [ebp+8] 822 5921f8a2 8945dc mov dword ptr [ebp-24h],eax 822 5921f8a5 8b45e0 mov eax,dword ptr [ebp-20h] 822 5921f8a8 395c0820 cmp dword ptr [eax+ecx+20h],ebx 822 5921f8ac 740c je chrome_child!CJPX_Decoder::Decode+0x19c (5921f8ba) chrome_child!CJPX_Decoder::Decode+0x190 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 822]: 822 5921f8ae 8b4c0818 mov ecx,dword ptr [eax+ecx+18h] 822 5921f8b2 33c0 xor eax,eax 822 5921f8b4 49 dec ecx 822 5921f8b5 40 inc eax 822 5921f8b6 d3e0 shl eax,cl 822 5921f8b8 eb02 jmp chrome_child!CJPX_Decoder::Decode+0x19e (5921f8bc) chrome_child!CJPX_Decoder::Decode+0x19c [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 822]: 822 5921f8ba 8bc3 mov eax,ebx chrome_child!CJPX_Decoder::Decode+0x19e [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 823]: 823 5921f8bc 833a00 cmp dword ptr [edx],0 823 5921f8bf 8b4df4 mov ecx,dword ptr [ebp-0Ch] 823 5921f8c2 7e04 jle chrome_child!CJPX_Decoder::Decode+0x1aa (5921f8c8) chrome_child!CJPX_Decoder::Decode+0x1a6 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 824]: 824 5921f8c4 8819 mov byte ptr [ecx],bl 825 5921f8c6 eb0e jmp chrome_child!CJPX_Decoder::Decode+0x1b8 (5921f8d6) chrome_child!CJPX_Decoder::Decode+0x1aa [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 826]: 826 5921f8c8 8b0a mov ecx,dword ptr [edx] 826 5921f8ca 0245dc add al,byte ptr [ebp-24h] 826 5921f8cd f7d9 neg ecx 826 5921f8cf d2e0 shl al,cl 826 5921f8d1 8b4df4 mov ecx,dword ptr [ebp-0Ch] 826 5921f8d4 8801 mov byte ptr [ecx],al chrome_child!CJPX_Decoder::Decode+0x1b8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]: 817 5921f8d6 8345f004 add dword ptr [ebp-10h],4 817 5921f8da 47 inc edi 817 5921f8db 3b7d10 cmp edi,dword ptr [ebp+10h] 817 5921f8de 7c9d jl chrome_child!CJPX_Decoder::Decode+0x15f (5921f87d) chrome_child!CJPX_Decoder::Decode+0x1c2 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 817]: 817 5921f8e0 8b45ec mov eax,dword ptr [ebp-14h] 817 5921f8e3 8b4d10 mov ecx,dword ptr [ebp+10h] chrome_child!CJPX_Decoder::Decode+0x1c8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 815]: 815 5921f8e6 8b7d0c mov edi,dword ptr [ebp+0Ch] 815 5921f8e9 017dfc add dword ptr [ebp-4],edi 815 5921f8ec 8bf9 mov edi,ecx 815 5921f8ee c1e702 shl edi,2 815 5921f8f1 03c7 add eax,edi 815 5921f8f3 ff4de8 dec dword ptr [ebp-18h] 815 5921f8f6 8945ec mov dword ptr [ebp-14h],eax 815 5921f8f9 0f8575ffffff jne chrome_child!CJPX_Decoder::Decode+0x156 (5921f874) chrome_child!CJPX_Decoder::Decode+0x1e1 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 829]: 829 5921f8ff e9d5000000 jmp chrome_child!CJPX_Decoder::Decode+0x2bb (5921f9d9) chrome_child!CJPX_Decoder::Decode+0x1e6 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]: 831 5921f904 837df800 cmp dword ptr [ebp-8],0 831 5921f908 0f8ece000000 jle chrome_child!CJPX_Decoder::Decode+0x2be (5921f9dc) chrome_child!CJPX_Decoder::Decode+0x1f0 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]: 831 5921f90e 8b55f8 mov edx,dword ptr [ebp-8] 831 5921f911 8bc3 mov eax,ebx 831 5921f913 8945f0 mov dword ptr [ebp-10h],eax 831 5921f916 8955ec mov dword ptr [ebp-14h],edx chrome_child!CJPX_Decoder::Decode+0x1fb [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]: 833 5921f919 837d1000 cmp dword ptr [ebp+10h],0 833 5921f91d 8bfb mov edi,ebx 833 5921f91f 0f8e9b000000 jle chrome_child!CJPX_Decoder::Decode+0x2a2 (5921f9c0) chrome_child!CJPX_Decoder::Decode+0x207 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 834]: 834 5921f925 8b4608 mov eax,dword ptr [esi+8] 834 5921f928 8b4810 mov ecx,dword ptr [eax+10h] 834 5921f92b 0fafcf imul ecx,edi 834 5921f92e 034dfc add ecx,dword ptr [ebp-4] 834 5921f931 894de8 mov dword ptr [ebp-18h],ecx 835 5921f934 8b4818 mov ecx,dword ptr [eax+18h] 835 5921f937 8b4508 mov eax,dword ptr [ebp+8] 835 5921f93a 8b54012c mov edx,dword ptr [ecx+eax+2Ch] 835 5921f93e 85d2 test edx,edx 835 5921f940 746b je chrome_child!CJPX_Decoder::Decode+0x28f (5921f9ad) chrome_child!CJPX_Decoder::Decode+0x224 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]: 838 5921f942 8b45f0 mov eax,dword ptr [ebp-10h] 838 5921f945 03c7 add eax,edi 838 5921f947 8b1482 mov edx,dword ptr [edx+eax*4] 841 5921f94a 8b4508 mov eax,dword ptr [ebp+8] 841 5921f94d 395c0120 cmp dword ptr [ecx+eax+20h],ebx 841 5921f951 740c je chrome_child!CJPX_Decoder::Decode+0x241 (5921f95f) chrome_child!CJPX_Decoder::Decode+0x235 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]: 841 5921f953 8b4c0118 mov ecx,dword ptr [ecx+eax+18h] 841 5921f957 33c0 xor eax,eax 841 5921f959 49 dec ecx 841 5921f95a 40 inc eax 841 5921f95b d3e0 shl eax,cl 841 5921f95d eb02 jmp chrome_child!CJPX_Decoder::Decode+0x243 (5921f961) chrome_child!CJPX_Decoder::Decode+0x241 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]: 841 5921f95f 8bc3 mov eax,ebx chrome_child!CJPX_Decoder::Decode+0x243 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]: 841 5921f961 03d0 add edx,eax 842 5921f963 8b45f4 mov eax,dword ptr [ebp-0Ch] 842 5921f966 8b00 mov eax,dword ptr [eax] 842 5921f968 8945dc mov dword ptr [ebp-24h],eax 842 5921f96b 8d48ff lea ecx,[eax-1] 842 5921f96e 85c9 test ecx,ecx 842 5921f970 790b jns chrome_child!CJPX_Decoder::Decode+0x25f (5921f97d) chrome_child!CJPX_Decoder::Decode+0x254 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 843]: 843 5921f972 8bc8 mov ecx,eax 843 5921f974 d3fa sar edx,cl 843 5921f976 8b4de8 mov ecx,dword ptr [ebp-18h] 843 5921f979 8811 mov byte ptr [ecx],dl 844 5921f97b eb30 jmp chrome_child!CJPX_Decoder::Decode+0x28f (5921f9ad) chrome_child!CJPX_Decoder::Decode+0x25f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]: 846 5921f97d 8bc2 mov eax,edx 846 5921f97f d3f8 sar eax,cl 846 5921f981 2501000080 and eax,80000001h 846 5921f986 7905 jns chrome_child!CJPX_Decoder::Decode+0x26f (5921f98d) chrome_child!CJPX_Decoder::Decode+0x26a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]: 846 5921f988 48 dec eax 846 5921f989 83c8fe or eax,0FFFFFFFEh 846 5921f98c 40 inc eax chrome_child!CJPX_Decoder::Decode+0x26f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 846]: 846 5921f98d 8b4ddc mov ecx,dword ptr [ebp-24h] 846 5921f990 d3fa sar edx,cl 847 5921f992 b9ff000000 mov ecx,0FFh 847 5921f997 03c2 add eax,edx 847 5921f999 3bc1 cmp eax,ecx 847 5921f99b 7e04 jle chrome_child!CJPX_Decoder::Decode+0x283 (5921f9a1) chrome_child!CJPX_Decoder::Decode+0x27f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 848]: 848 5921f99d 8bc1 mov eax,ecx 848 5921f99f eb07 jmp chrome_child!CJPX_Decoder::Decode+0x28a (5921f9a8) chrome_child!CJPX_Decoder::Decode+0x283 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 849]: 849 5921f9a1 33c9 xor ecx,ecx 849 5921f9a3 85c0 test eax,eax 849 5921f9a5 0f48c1 cmovs eax,ecx chrome_child!CJPX_Decoder::Decode+0x28a [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 852]: 852 5921f9a8 8b4de8 mov ecx,dword ptr [ebp-18h] 852 5921f9ab 8801 mov byte ptr [ecx],al chrome_child!CJPX_Decoder::Decode+0x28f [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]: 833 5921f9ad 47 inc edi 833 5921f9ae 3b7d10 cmp edi,dword ptr [ebp+10h] 833 5921f9b1 0f8c6effffff jl chrome_child!CJPX_Decoder::Decode+0x207 (5921f925) chrome_child!CJPX_Decoder::Decode+0x299 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 833]: 833 5921f9b7 8b45f0 mov eax,dword ptr [ebp-10h] 833 5921f9ba 8b4dfc mov ecx,dword ptr [ebp-4] 833 5921f9bd 8b55ec mov edx,dword ptr [ebp-14h] chrome_child!CJPX_Decoder::Decode+0x2a2 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]: 831 5921f9c0 034d0c add ecx,dword ptr [ebp+0Ch] 831 5921f9c3 034510 add eax,dword ptr [ebp+10h] 831 5921f9c6 4a dec edx 831 5921f9c7 894dfc mov dword ptr [ebp-4],ecx 831 5921f9ca 8945f0 mov dword ptr [ebp-10h],eax 831 5921f9cd 8955ec mov dword ptr [ebp-14h],edx 831 5921f9d0 0f8543ffffff jne chrome_child!CJPX_Decoder::Decode+0x1fb (5921f919) chrome_child!CJPX_Decoder::Decode+0x2b8 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]: 831 5921f9d6 8b55f4 mov edx,dword ptr [ebp-0Ch] chrome_child!CJPX_Decoder::Decode+0x2bb [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 831]: 831 5921f9d9 8b4508 mov eax,dword ptr [ebp+8] chrome_child!CJPX_Decoder::Decode+0x2be [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 812]: 812 5921f9dc 8b4de4 mov ecx,dword ptr [ebp-1Ch] 812 5921f9df 83c034 add eax,34h 812 5921f9e2 894508 mov dword ptr [ebp+8],eax 812 5921f9e5 41 inc ecx 812 5921f9e6 8b4608 mov eax,dword ptr [esi+8] 812 5921f9e9 83c204 add edx,4 812 5921f9ec 894de4 mov dword ptr [ebp-1Ch],ecx 812 5921f9ef 8955f4 mov dword ptr [ebp-0Ch],edx 812 5921f9f2 3b4810 cmp ecx,dword ptr [eax+10h] 812 5921f9f5 8b4508 mov eax,dword ptr [ebp+8] 812 5921f9f8 8b4dd8 mov ecx,dword ptr [ebp-28h] 812 5921f9fb 0f824dfeffff jb chrome_child!CJPX_Decoder::Decode+0x130 (5921f84e) chrome_child!CJPX_Decoder::Decode+0x2e3 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 858]: 858 5921fa01 b301 mov bl,1 chrome_child!CJPX_Decoder::Decode+0x2e5 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 858]: 858 5921fa03 8d4dcc lea ecx,[ebp-34h] 858 5921fa06 e8341169fe call chrome_child!std::vector<HINSTANCE__ *,std::allocator<HINSTANCE__ *> >::_Tidy (578b0b3f) 858 5921fa0b 8d4dc0 lea ecx,[ebp-40h] 858 5921fa0e e88d6368fe call chrome_child!std::vector<std::_List_unchecked_iterator<std::_List_val<std::_List_simple_types<std::pair<int const ,media::WebMediaPlayerDelegate::Observer *> > > >,std::_Wrap_alloc<std::allocator<std::_List_unchecked_iterator<std::_List_val<std::_List_simple_types<std::pair<int const ,media::WebMediaPlayerDelegate::Observer *> > > > > > >::_Tidy (578a5da0) 858 5921fa13 8ac3 mov al,bl 858 5921fa15 5b pop ebx 858 5921fa16 eb02 jmp chrome_child!CJPX_Decoder::Decode+0x2fc (5921fa1a) chrome_child!CJPX_Decoder::Decode+0x2fa [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 791]: 791 5921fa18 32c0 xor al,al chrome_child!CJPX_Decoder::Decode+0x2fc [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 791]: 791 5921fa1a 5f pop edi 791 5921fa1b 5e pop esi 859 5921fa1c 8be5 mov esp,ebp 859 5921fa1e 5d pop ebp 859 5921fa1f c20c00 ret 0Ch 3:041> .reload Reloading current modules ................................................. 3:041> r eax=00020000 ebx=00000000 ecx=08db2f60 edx=09bb1000 esi=08c5efe8 edi=00000000 eip=58423528 esp=0062f000 ebp=0062f04c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 chrome_child!CJPX_Decoder::Decode+0x229: 58423528 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:09c31000=???????? 3:041> kvb ChildEBP RetAddr Args to Child 0062f04c 584232fb 00000000 00000600 00000200 chrome_child!CJPX_Decoder::Decode+0x229 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838] 0062f060 58413327 08c5efe8 09eb0ff8 00000600 chrome_child!CCodec_JpxModule::Decode+0x14 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 884] 0062f0ac 58411b29 08b8af98 08b8af70 08c86fe0 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x1d3 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 753] 0062f0d8 58413bba 04e3efe0 055c3fd8 04e3efe8 chrome_child!CPDF_DIBSource::CreateDecoder+0x1fa (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 654] 0062f0fc 583ff814 0771cfa8 08c86fe0 00000001 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x15f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 374] 0062f128 583ff8b4 00000000 08c06fe8 00000000 chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x60 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 283] 0062f160 584139ce 08c86fe0 00000000 00000000 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0x76 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 124] 0062f190 58413985 05102fb8 08c9afb8 04e3efe0 chrome_child!CPDF_ImageLoaderHandle::Start+0x44 (FPO: [Non-Fpo]) (CONV: thiscall)
,
Mar 4 2016
[c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1576]
0062f1c0 5840137a 08c9afb8 04e3efe0 05102ff4 chrome_child!CPDF_ImageLoader::Start+0x51 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1637]
0062f218 58400e1c 08c9afb8 08d7cf50 08ccefe4 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0x70 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 335]
0062f22c 583d914d 08d7cf50 08c9afb8 08ccefe4 chrome_child!CPDF_ImageRenderer::Start+0x6b (FPO: [Non-Fpo]) (CONV: thiscall) [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 475]
3:041> u
chrome_child!CJPX_Decoder::Decode+0x229 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 838]:
58423528 8b1482 mov edx,dword ptr [edx+eax*4]
5842352b 8b4508 mov eax,dword ptr [ebp+8]
5842352e 395c0120 cmp dword ptr [ecx+eax+20h],ebx
58423532 740c je chrome_child!CJPX_Decoder::Decode+0x241 (58423540)
58423534 8b4c0118 mov ecx,dword ptr [ecx+eax+18h]
58423538 33c0 xor eax,eax
5842353a 49 dec ecx
5842353b 40 inc eax
3:041> u
chrome_child!CJPX_Decoder::Decode+0x23d [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 841]:
5842353c d3e0 shl eax,cl
5842353e eb02 jmp chrome_child!CJPX_Decoder::Decode+0x243 (58423542)
58423540 8bc3 mov eax,ebx
58423542 03d0 add edx,eax
58423544 8b45f4 mov eax,dword ptr [ebp-0Ch]
58423547 8b00 mov eax,dword ptr [eax]
58423549 8945dc mov dword ptr [ebp-24h],eax
5842354c 8d48ff lea ecx,[eax-1]
3:041> ub @eip
chrome_child!CJPX_Decoder::Decode+0x213 [c:\b\build\slave\win\build\src\third_party\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 834]:
58423512 894de8 mov dword ptr [ebp-18h],ecx
58423515 8b4818 mov ecx,dword ptr [eax+18h]
58423518 8b4508 mov eax,dword ptr [ebp+8]
5842351b 8b54012c mov edx,dword ptr [ecx+eax+2Ch]
5842351f 85d2 test edx,edx
58423521 746b je chrome_child!CJPX_Decoder::Decode+0x28f (5842358e)
58423523 8b45f0 mov eax,dword ptr [ebp-10h]
58423526 03c7 add eax,edi
3:041> r
eax=00020000 ebx=00000000 ecx=08db2f60 edx=09bb1000 esi=08c5efe8 edi=00000000
eip=58423528 esp=0062f000 ebp=0062f04c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
chrome_child!CJPX_Decoder::Decode+0x229:
58423528 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:09c31000=????????
3:041> lmvm chrome_child
start end module name
56a90000 596a9000 chrome_child (private pdb symbols) c:\code\symbols\chrome_child.dll.pdb\B7CE6286E9134BAA849C284AC4E929B11\chrome_child.dll.pdb
Loaded symbol image file: C:\Users\ZDI\AppData\Local\Google\Chrome SxS\Application\51.0.2665.0\chrome_child.dll
Image path: C:\Users\ZDI\AppData\Local\Google\Chrome SxS\Application\51.0.2665.0\chrome_child.dll
Image name: chrome_child.dll
Timestamp: Tue Mar 01 21:46:20 2016 (56D67E2C)
CheckSum: 02AB798E
ImageSize: 02C19000
File version: 51.0.2665.0
Product version: 51.0.2665.0
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Google Inc.
ProductName: Google Chrome
InternalName: chrome_dll
OriginalFilename: chrome.dll
ProductVersion: 51.0.2665.0
FileVersion: 51.0.2665.0
FileDescription: Google Chrome
LegalCopyright: Copyright 2015 Google Inc. All rights reserved.
3:041> vertarget
Windows 7 Version 9200 UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.3.9600.17031 (winblue_gdr.140221-1952)
Machine Name:
Debug session time: Thu Mar 3 05:57:59.944 2016 (GMT-8)
System Uptime: 0 days 0:10:36.516
Process Uptime: 0 days 0:04:19.317
Kernel time: 0 days 0:00:00.062
User time: 0 days 0:00:00.031
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
kdot working with HP's Zero Day Initiative
-- FURTHER DETAILS ------------------------------
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up the the deadline please coordinate with us so that we may release our advisory detailing the issue. If the 120 day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@hpe.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI ---------------------
Established by TippingPoint and acquired by Hewlett-Packard, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
The ZDI is unique in how the acquired vulnerability information is used. The ZDI does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its HP TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
,
Mar 4 2016
,
Mar 10 2016
This medium+ severity security issue is a regression on trunk. Please fix this asap. If you are unable to look into this soon, please revert your change. - Your friendly ClusterFuzz
,
Mar 11 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5740792408178688
,
Mar 11 2016
Issue 594043 has been merged into this issue.
,
Mar 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688 Uploader: ochang@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x7f3ef21ea800 Crash State: CJPX_Decoder::Decode CPDF_DIBSource::LoadJpxBitmap CPDF_DIBSource::CreateDecoder Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775 Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.
,
Mar 11 2016
,
Mar 12 2016
,
Mar 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/83dfeae5a988dbd17f11b409f32ef577be02c152 commit 83dfeae5a988dbd17f11b409f32ef577be02c152 Author: ochang <ochang@chromium.org> Date: Tue Mar 15 18:05:57 2016 Roll PDFium 5526501..3cc1802 https://pdfium.googlesource.com/pdfium.git/+log/5526501..3cc1802 TBR=tsepez@chromium.org BUG= 591785 , 589724 TEST=bots Review URL: https://codereview.chromium.org/1806673002 Cr-Commit-Position: refs/heads/master@{#381250} [modify] https://crrev.com/83dfeae5a988dbd17f11b409f32ef577be02c152/DEPS
,
Mar 15 2016
,
Mar 15 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Mar 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688 Uploader: ochang@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x7f3ef21ea800 Crash State: CJPX_Decoder::Decode CPDF_DIBSource::LoadJpxBitmap CPDF_DIBSource::CreateDecoder Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775 Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 16 2016
ClusterFuzz has detected this issue as fixed in range 381067:381276. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688 Uploader: ochang@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x7f3ef21ea800 Crash State: CJPX_Decoder::Decode CPDF_DIBSource::LoadJpxBitmap CPDF_DIBSource::CreateDecoder Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=381067:381276 Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2016
ClusterFuzz has detected this issue as fixed in range 381067:381276. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5740792408178688 Uploader: ochang@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x7f3ef21ea800 Crash State: CJPX_Decoder::Decode CPDF_DIBSource::LoadJpxBitmap CPDF_DIBSource::CreateDecoder Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=366758:366775 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=381067:381276 Minimized Testcase (57.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9601tZyjM0KUN_QAPmGKFQU-Lk0MCDd9xKjCyrOfpKdX0GoDqMm_PRg3jox1pYlg32RC4nRipg7pqIlX8Y7ErtCPik0Ltlfs27ZCcxOo-_YhEm5gyGK5b1YvpBPU1csk6oTfR5PNs7ErW0jDd-tCGJRbQvmGdapqggAJW0vt6yy2qp_ZV4 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 21 2016
Requesting merge.
,
Mar 21 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Mar 21 2016
Merge approved for M50 (branch 2661). Pls go ahead merge.
,
Mar 21 2016
Please try to merge your change to M50 branch 2661 asap as we're getting closer to M50 beta candidate cut for this week. Thank you.
,
Mar 21 2016
merged: https://chromereviews.googleplex.com/385647013/
,
Mar 22 2016
The following revision refers to this bug: http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=85560 ------------------------------------------------------------------ r85560 | ochang@google.com | 2016-03-21T18:29:43.098986Z -----------------------------------------------------------------
,
Mar 29 2016
Issue 598850 has been merged into this issue.
,
Mar 29 2016
Are there any more 49s?
,
Mar 29 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Mar 30 2016
None planned right now. What's the impact of this medium severity bug? If we are OK waiting till M50, then please remove the Merge-Request-49. If not, please let me know about impact if we want this merged into M49.
,
Mar 30 2016
There has been 2 duplicates of this bug reported by external people, so I would like to get it merged into M49 in case there is another release.
,
Apr 1 2016
Hello - let's get this into M49. Medium-severity externally reported meets the bar for a stable merge, so let's get this in. If a M49 isn't going again, M50 early stable is due in a few weeks.
,
Apr 1 2016
,
Apr 1 2016
Merge approved for M49 (branch 2623)
,
Apr 1 2016
The following revision refers to this bug: http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=86026 ------------------------------------------------------------------ r86026 | ochang@google.com | 2016-04-01T20:50:46.527873Z -----------------------------------------------------------------
,
Apr 12 2016
Did this make it out in any M49 release? Tagging it with Release-0-M50 for the M50 release notes regardless.
,
Apr 12 2016
,
Apr 12 2016
,
Jun 22 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Apr 25 2018
|
|||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||
Comment 1 by och...@chromium.org
, Mar 3 2016