Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in CJPX_Decoder::Decode
Reported by
keve.n...@gmail.com,
Mar 29 2016
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The testcase crashes the stable versions:
==29626==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fda75f92ee0 at pc 0x00000075c1e0 bp 0x7ffc3ca14c70 sp 0x7ffc3ca14c68
READ of size 4 at 0x7fda75f92ee0 thread T0
#0 0x75c1df in CJPX_Decoder::Decode(unsigned char*, int, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:838:21
#1 0x6d2d9e in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:752:8
#2 0x6cd6c1 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:653:5
#3 0x6ca9c8 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:374:13
#4 0x6bc6ec in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:280:7
#5 0x6bc2ea in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:122:13
#6 0x6d9ecc in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadima
ge.cpp:1574:11
#7 0x6daa34 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadim
age.cpp:1635:10
#8 0x6c15a8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:331:7
#9 0x6bddcd in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:475:7
#10 0x6b0aad in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:311:10
#11 0x6b8cf7 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1083:13
#12 0x4edbb6 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:914:3
#13 0x4ed4aa in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:663:3
#14 0x4e1fe1 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:408:3
#15 0x4e33d2 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:578:9
#16 0x4e43bd in main third_party/pdfium/samples/pdfium_test.cc:697:7
#17 0x7fda8f846ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
0x7fda75f92ee0 is located 0 bytes to the right of 84031200-byte region [0x7fda70f6f800,0x7fda75f92ee0)
allocated by thread T0 here:
#0 0x4b4b51 in __interceptor_calloc (/home/keve/src/chromium/asan-linux-beta-50.0.2661.37/pdfium_test+0x4b4b51)
#1 0x758df4 in FX_AllocOrDie third_party/pdfium/core/include/fxcrt/fx_memory.h:39:22
#2 0x758df4 in sycc422_to_rgb third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:221
#3 0x758df4 in color_sycc_to_rgb(opj_image*) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:422
#4 0x75ac33 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:766:5
#5 0x75c624 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, CPDF_ColorSpace*) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:869:10
#6 0x6d2761 in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:697:24
#7 0x6cd6c1 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:653:5
#8 0x6ca9c8 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:374:13
#9 0x6bc6ec in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:280:7
#10 0x6bc2ea in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:122:13
#11 0x6d9ecc in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadim
age.cpp:1574:11
#12 0x6daa34 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadi
mage.cpp:1635:10
#13 0x6c15a8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:331:7
#14 0x6bddcd in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:475:7
#15 0x6b0aad in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:311:10
#16 0x6b8cf7 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1083:13
#17 0x4edbb6 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:914:3
#18 0x4ed4aa in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:663:3
#19 0x4e1fe1 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:408:3
#20 0x4e33d2 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:578:9
#21 0x4e43bd in main third_party/pdfium/samples/pdfium_test.cc:697:7
#22 0x7fda8f846ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
VERSION
Chrome Version: asan-linux-stable-49.0.2623.108
Operating System: Ubuntu 64
REPRODUCTION CASE
Attached file.
,
Jul 6 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by och...@chromium.org
, Mar 29 2016Status: Duplicate (was: Unconfirmed)