Issue 597440 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	thestig@chromium.org
Closed:	Aug 2016
Cc:	thestig@chromium.org
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug
Stability-Crash Via-Wizard

Pdfium crashes when closing tab

Reported by keve.n...@gmail.com, Mar 23 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
1. Open attachment
2. Make sure another tab is open with pdfium
3. Close the attachment tab.. pdfium crashes

What is the expected behavior?

What went wrong?
Crashes on stable versions, windows, linux.

ASAN report, version: asan-linux-stable-49.0.2623.87/pdfium_test :

==29415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000006661cd bp 0x7ffc0debcc90 sp 0x7ffc0debcc70 T0)
    #0 0x6661cc in Release third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:25:7
    #1 0x6661cc in ~CPDF_Dictionary third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:582
    #2 0x6661cc in CPDF_Object::Destroy() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:42
    #3 0x6660c6 in Release third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:28:3
    #4 0x6660c6 in ~CPDF_Stream third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:823
    #5 0x6660c6 in CPDF_Object::Destroy() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:45
    #6 0x6661d6 in Release third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:28:3
    #7 0x6661d6 in ~CPDF_Dictionary third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:582
    #8 0x6661d6 in CPDF_Object::Destroy() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:42
    #9 0x673690 in CPDF_IndirectObjectHolder::~CPDF_IndirectObjectHolder() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:1069:5
    #10 0x662e70 in CPDF_Document::~CPDF_Document() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_document.cpp:100:1
    #11 0x6764d8 in CPDF_Parser::CloseParser(int) third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:165:5
    #12 0x676190 in CPDF_Parser::~CPDF_Parser() third_party/pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:126:3
    #13 0x4edb1c in FPDF_CloseDocument third_party/pdfium/fpdfsdk/src/fpdfview.cpp:750:3
    #14 0x4e521f in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:547:3
    #15 0x4e5f25 in main third_party/pdfium/samples/pdfium_test.cc:617:7

Looks like a null dereference.

Crashed report ID: 

How much crashed? Just one plugin

Is it a problem with a plugin? Yes pdfium

Did this work before? N/A 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 21.0 r0

test.pdf
1.6 KB Download

Comment 1 by dtapu...@chromium.org, Mar 24 2016

Components: Internals>Plugins>PDF

Comment 2 by pucchakayala@chromium.org, Apr 14 2016

Cc: thestig@chromium.org
Labels: Needs-Feedback

Please upgrade to the latest stable build available and check if you still see this issue ?

Looping in chromium//src/pdf/OWNERS as well.

Comment 3 by keve.n...@gmail.com, Apr 15 2016

The original file i attached isn't crashing.
But the bug is there, i attached another file which crashes

99.pdf
2.4 KB Download

Comment 4 by thestig@chromium.org, Apr 15 2016

Labels: -OS-Windows -Needs-Feedback -Arch-x86_64 OS-All
Status: Untriaged (was: Unconfirmed)

Comment 5 by thestig@chromium.org, Apr 15 2016

Owner: thestig@chromium.org
Status: Started (was: Untriaged)

https://codereview.chromium.org/1888333002 should fix the 99.pdf case.

Comment 6 by thestig@chromium.org, Aug 25 2016

Next try: https://codereview.chromium.org/2273293003

Comment 7 by thestig@chromium.org, Aug 25 2016

Status: Fixed (was: Started)

https://pdfium.googlesource.com/pdfium/+/22b176d0ee7f1dcbc7bca6e5eef65c19fa10f726

Chromium will pick up the fix later in the day.

Project Member

Comment 8 by bugdroid1@chromium.org, Aug 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99b48c2ea20be49886f6c236f4762627a6430ad8

commit 99b48c2ea20be49886f6c236f4762627a6430ad8
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Thu Aug 25 21:10:36 2016

Roll src/third_party/pdfium/ 43cbe9ea0..22b176d0e (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/43cbe9ea0ff1..22b176d0ee7f

$ git log 43cbe9ea0..22b176d0e --date=short --no-merges --format='%ad %ae %s'
2016-08-25 thestig Check for nullptrs in CPDF_Dictionary dtor.
2016-08-25 thestig Fix infinite loops in FPDF_GetFullName().

BUG= 597440 , 444446 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2283493002
Cr-Commit-Position: refs/heads/master@{#414538}

[modify] https://crrev.com/99b48c2ea20be49886f6c236f4762627a6430ad8/DEPS

►

Issue 597440 link

Issue metadata

Pdfium crashes when closing tab

Issue description

Comment 1 by dtapu...@chromium.org, Mar 24 2016

Comment 1 Deleted

Comment 2 by pucchakayala@chromium.org, Apr 14 2016

Comment 2 Deleted

Comment 3 by keve.n...@gmail.com, Apr 15 2016

Comment 3 Deleted

Comment 4 by thestig@chromium.org, Apr 15 2016

Comment 4 Deleted

Comment 5 by thestig@chromium.org, Apr 15 2016

Comment 5 Deleted

Comment 6 by thestig@chromium.org, Aug 25 2016

Comment 6 Deleted

Comment 7 by thestig@chromium.org, Aug 25 2016

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Aug 25 2016

Comment 8 Deleted

Sign in to add a comment