Issue metadata
Sign in to add a comment
|
Security: PDFium Out-Of-Bounds Read in CJPX_Decoder::Decode
Reported by
stackexp...@gmail.com,
Mar 11 2016
|
||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The attached proof-of-concept file could crash the latest build of pdfium_test.
This is an Out-Of-Bounds Read issue.
The exception information is presented as follows.
---------------------------------------------------------
(19b0.14c8): Access violation - code c0000005 (!!! second chance !!!)
*** WARNING: Unable to verify checksum for E:\PDFiumDev\repo\pdfium\build\Release\pdfium_test.exe
eax=00002000 ebx=00002000 ecx=07ddaf60 edx=0832c000 esi=0834fffa edi=00000000
eip=002ecce4 esp=001cf3e4 ebp=001cf428 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
pdfium_test!CJPX_Decoder::Decode+0x224:
002ecce4 8b1482 mov edx,dword ptr [edx+eax*4] ds:002b:08334000=????????
0:000> db edx
0832c000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0832c070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:000> db edx+eax*4
08334000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
08334070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:000> !heap -p -a edx
address 0832c000 found in
_DPH_HEAP_ROOT @ 2de1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
81625e4: 832c000 8000 - 832b000 a000
705d8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77ea1d4e ntdll!RtlDebugAllocateHeap+0x00000030
77e5b586 ntdll!RtlpAllocateHeap+0x000000c4
77e03541 ntdll!RtlAllocateHeap+0x0000023a
003b3d69 pdfium_test!_calloc_base+0x00000047 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\calloc_base.cpp @ 33]
002ed9da pdfium_test!sycc422_to_rgb+0x000000aa [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 221]
002ed20b pdfium_test!color_sycc_to_rgb+0x0000007b [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 426]
002ed137 pdfium_test!CJPX_Decoder::Init+0x00000227 [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 766]
002eca40 pdfium_test!CCodec_JpxModule::CreateDecoder+0x00000040 [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 869]
002d906a pdfium_test!CPDF_DIBSource::LoadJpxBitmap+0x0000006a [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 700]
002d779c pdfium_test!CPDF_DIBSource::CreateDecoder+0x0000021c [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 657]
002d9cbb pdfium_test!CPDF_DIBSource::StartLoadDIBSource+0x0000015b [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 377]
002c1e47 pdfium_test!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x00000067 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 284]
002c1f4f pdfium_test!CPDF_PageRenderCache::StartGetCachedBitmap+0x000000cf [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 123]
002d9ac4 pdfium_test!CPDF_ImageLoaderHandle::Start+0x00000044 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1577]
002d9a6d pdfium_test!CPDF_ImageLoader::Start+0x0000005d [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1638]
002c3dc0 pdfium_test!CPDF_ImageRenderer::StartLoadDIBSource+0x00000070 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 336]
002c3834 pdfium_test!CPDF_ImageRenderer::Start+0x00000074 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 480]
0029d3d4 pdfium_test!CPDF_RenderStatus::ContinueSingleObject+0x000000b4 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render.cpp @ 314]
0029d1fe pdfium_test!CPDF_ProgressiveRenderer::Continue+0x000002de [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render.cpp @ 1086]
00269541 pdfium_test!FPDF_RenderPage_Retail+0x00000221 [e:\pdfiumdev\repo\pdfium\fpdfsdk\src\fpdfview.cpp @ 913]
00269df9 pdfium_test!FPDF_RenderPageBitmap+0x00000099 [e:\pdfiumdev\repo\pdfium\fpdfsdk\src\fpdfview.cpp @ 665]
00263168 pdfium_test!RenderPage+0x000001b8 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 411]
0026355f pdfium_test!RenderPdf+0x000002ef [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 579]
00268766 pdfium_test!main+0x000002e6 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 699]
003a6b6b pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
76e8338a kernel32!BaseThreadInitThunk+0x0000000e
77e09a02 ntdll!__RtlUserThreadStart+0x00000070
77e099d5 ntdll!_RtlUserThreadStart+0x0000001b
0:000> k
ChildEBP RetAddr
001cf428 002ecab4 pdfium_test!CJPX_Decoder::Decode+0x224 [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 839]
001cf43c 002d920f pdfium_test!CCodec_JpxModule::Decode+0x14 [e:\pdfiumdev\repo\pdfium\core\src\fxcodec\codec\fx_codec_jpx_opj.cpp @ 884]
001cf490 002d779c pdfium_test!CPDF_DIBSource::LoadJpxBitmap+0x20f [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 755]
001cf4b8 002d9cbb pdfium_test!CPDF_DIBSource::CreateDecoder+0x21c [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 657]
001cf4dc 002c1e47 pdfium_test!CPDF_DIBSource::StartLoadDIBSource+0x15b [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 377]
001cf508 002c1f4f pdfium_test!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x67 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 284]
001cf53c 002d9ac4 pdfium_test!CPDF_PageRenderCache::StartGetCachedBitmap+0xcf [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 123]
001cf56c 002d9a6d pdfium_test!CPDF_ImageLoaderHandle::Start+0x44 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1577]
001cf59c 002c3dc0 pdfium_test!CPDF_ImageLoader::Start+0x5d [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1638]
001cf5f4 002c3834 pdfium_test!CPDF_ImageRenderer::StartLoadDIBSource+0x70 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 336]
001cf604 0029d3d4 pdfium_test!CPDF_ImageRenderer::Start+0x74 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 480]
001cf62c 0029d1fe pdfium_test!CPDF_RenderStatus::ContinueSingleObject+0xb4 [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render.cpp @ 314]
001cf680 00269541 pdfium_test!CPDF_ProgressiveRenderer::Continue+0x2de [e:\pdfiumdev\repo\pdfium\core\src\fpdfapi\fpdf_render\fpdf_render.cpp @ 1086]
001cf6bc 00269df9 pdfium_test!FPDF_RenderPage_Retail+0x221 [e:\pdfiumdev\repo\pdfium\fpdfsdk\src\fpdfview.cpp @ 913]
001cf6f8 00263168 pdfium_test!FPDF_RenderPageBitmap+0x99 [e:\pdfiumdev\repo\pdfium\fpdfsdk\src\fpdfview.cpp @ 665]
001cf814 0026355f pdfium_test!RenderPage+0x1b8 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 411]
001cf8ec 00268766 pdfium_test!RenderPdf+0x2ef [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 579]
001cf9d0 003a6b6b pdfium_test!main+0x2e6 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 699]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
001cfa1c 76e8338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
001cfa28 77e09a02 kernel32!BaseThreadInitThunk+0xe
001cfa68 77e099d5 ntdll!__RtlUserThreadStart+0x70
001cfa80 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> r
eax=00002000 ebx=00002000 ecx=07ddaf60 edx=0832c000 esi=0834fffa edi=00000000
eip=002ecce4 esp=001cf3e4 ebp=001cf428 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
pdfium_test!CJPX_Decoder::Decode+0x224:
002ecce4 8b1482 mov edx,dword ptr [edx+eax*4] ds:002b:08334000=????????
VERSION
Chrome Version: [49.0.2623.87] + [stable]
Operating System: [Windows 7]
P.S. I built PDFium using Visual Studio 2015 without Javascript and XFA.
The latest Chrome (49.0.2623.87, stable) could not handle this issue correctly.
REPRODUCTION CASE
This issue was caused by the malformed JPEG2000 image embedded in the PDF document.
I've done some reduction work and got the smallest proof-of-concept file.
Both of the original normal PDF document and the mutated PDF document are attached.
There are two bytes of differences between the normal image and the malformed image.
The follow information shows the the differences of the JPEG2000 image's SIZ content.
[0x01 -> 0x02] in the mutation column means the data was mutated from 0x01 to 0x02.
---------------------------------------------
SIZ Data of the J2K Image
---------------------------------------------
Parameter Bytes Values Mutation
SIZ 2 0xFF51
Lsiz 2 0x002F
Rsiz 2 0x0000
Xsiz 4 0x00000080
Ysiz 4 0x00000080
XOsiz 4 0x00000000
YOsiz 4 0x00000000
XTsiz 4 0x00000080
XTsiz 4 0x00000080
XTOsiz 4 0x00000000
XTOsiz 4 0x00000000
Csiz 2 0x0003
Ssiz(0) 1 0x07
XRsiz(0) 1 0x01
YRsiz(0) 1 0x01
Ssiz(1) 1 0x07
XRsiz(1) 1 0x02 [0x01 -> 0x02]
YRsiz(1) 1 0x01
Ssiz(2) 1 0x07
XRsiz(2) 1 0x02 [0x01 -> 0x02]
YRsiz(2) 1 0x01
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
CREDIT
Credit: This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
,
Mar 11 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5275825080893440
,
Mar 11 2016
looks similar to https://bugs.chromium.org/p/chromium/issues/detail?id=557223 that you fixed.
,
Mar 11 2016
,
Mar 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5275825080893440 Uploader: aarya@google.com Job Type: windows_asan_chrome Platform Id: windows Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x05c44400 Crash State: CJPX_Decoder::Decode CCodec_JpxModule::Decode CPDF_DIBSource::LoadJpxBitmap Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379932:379959 Minimized Testcase (1.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95AN4oNAkrNvuAxzmKYJAbZk8a3ZlrwDDkohdITSKFIJ2Wkp_mW7IHh1wkDSmS1lJz7Hnjb2IgiEcYTIydFzUyY-yqoDgQT2_mXWNptT4Y_BJI1O2EyuduCggY2y6jbQxgn6emLgO83PpdCxiLSN3aAGparJA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 11 2016
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5275825080893440 Uploader: aarya@google.com Job Type: windows_asan_chrome Platform Id: windows Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x06744400 Crash State: CJPX_Decoder::Decode CCodec_JpxModule::Decode CPDF_DIBSource::LoadJpxBitmap Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379932:379959 Minimized Testcase (1.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bQuLr1z5R14xxId3QZhqznXk283LGmmUCjLVbWyNapBBa7xyeXlJh8O5csoeKPOMeZ-3prC2NLB584t9GzQVIKwJgyNVktLENrZML0qikcnWqcQ6DS8GIkBUV1-rIlz3ZY952Yfmt7FCu1ZJ0oGERGfPtWw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5275825080893440 Uploader: aarya@google.com Job Type: windows_asan_chrome Platform Id: windows Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x06744400 Crash State: CJPX_Decoder::Decode CCodec_JpxModule::Decode CPDF_DIBSource::LoadJpxBitmap Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=379932:379959 Minimized Testcase (1.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bQuLr1z5R14xxId3QZhqznXk283LGmmUCjLVbWyNapBBa7xyeXlJh8O5csoeKPOMeZ-3prC2NLB584t9GzQVIKwJgyNVktLENrZML0qikcnWqcQ6DS8GIkBUV1-rIlz3ZY952Yfmt7FCu1ZJ0oGERGfPtWw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Nov 22 2016
Please ignore this comment, it's for indexing :) CVE-ID: CVE-2016-1651 Release Notes: https://googlechromereleases.blogspot.com/2016/04/stable-channel-update_13.html Fixed Version: Chrome 50.0.2661.75 Merged: Issue 591785 |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Mar 11 201620.5 KB
20.5 KB View Download