New issue
Advanced search Search tips

Issue 598850 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 591785
Owner: ----
Closed: Mar 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: heap-buffer-overflow in CJPX_Decoder::Decode

Reported by keve.n...@gmail.com, Mar 29 2016

Issue description

VULNERABILITY DETAILS 

The testcase crashes the stable versions:

==29626==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fda75f92ee0 at pc 0x00000075c1e0 bp 0x7ffc3ca14c70 sp 0x7ffc3ca14c68
READ of size 4 at 0x7fda75f92ee0 thread T0
    #0 0x75c1df in CJPX_Decoder::Decode(unsigned char*, int, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:838:21
    #1 0x6d2d9e in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:752:8
    #2 0x6cd6c1 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:653:5
    #3 0x6ca9c8 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:374:13
    #4 0x6bc6ec in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:280:7
    #5 0x6bc2ea in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:122:13
    #6 0x6d9ecc in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadima
ge.cpp:1574:11
    #7 0x6daa34 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadim
age.cpp:1635:10
    #8 0x6c15a8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:331:7
    #9 0x6bddcd in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:475:7
    #10 0x6b0aad in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:311:10
    #11 0x6b8cf7 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1083:13
    #12 0x4edbb6 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:914:3
    #13 0x4ed4aa in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:663:3
    #14 0x4e1fe1 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:408:3
    #15 0x4e33d2 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:578:9
    #16 0x4e43bd in main third_party/pdfium/samples/pdfium_test.cc:697:7
    #17 0x7fda8f846ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

0x7fda75f92ee0 is located 0 bytes to the right of 84031200-byte region [0x7fda70f6f800,0x7fda75f92ee0)
allocated by thread T0 here:
    #0 0x4b4b51 in __interceptor_calloc (/home/keve/src/chromium/asan-linux-beta-50.0.2661.37/pdfium_test+0x4b4b51)
    #1 0x758df4 in FX_AllocOrDie third_party/pdfium/core/include/fxcrt/fx_memory.h:39:22
    #2 0x758df4 in sycc422_to_rgb third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:221
    #3 0x758df4 in color_sycc_to_rgb(opj_image*) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:422
    #4 0x75ac33 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:766:5
    #5 0x75c624 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, CPDF_ColorSpace*) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:869:10
    #6 0x6d2761 in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:697:24
    #7 0x6cd6c1 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:653:5
    #8 0x6ca9c8 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:374:13
    #9 0x6bc6ec in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:280:7
    #10 0x6bc2ea in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:122:13
    #11 0x6d9ecc in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadim
age.cpp:1574:11
    #12 0x6daa34 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadi
mage.cpp:1635:10
    #13 0x6c15a8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:331:7
    #14 0x6bddcd in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:475:7
    #15 0x6b0aad in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:311:10
    #16 0x6b8cf7 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1083:13
    #17 0x4edbb6 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:914:3
    #18 0x4ed4aa in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:663:3
    #19 0x4e1fe1 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:408:3
    #20 0x4e33d2 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:578:9
    #21 0x4e43bd in main third_party/pdfium/samples/pdfium_test.cc:697:7
    #22 0x7fda8f846ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287



VERSION
Chrome Version:  asan-linux-stable-49.0.2623.108
Operating System: Ubuntu 64

REPRODUCTION CASE
Attached file.


 
poc.pdf
1.1 KB Download

Comment 1 by och...@chromium.org, Mar 29 2016

Mergedinto: 591785
Status: Duplicate (was: Unconfirmed)
Thanks for the report.

Can't repro on pdfium_test on HEAD. The fix should already be in beta too, but is not yet merged to stable.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 6 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment