Issue metadata
Sign in to add a comment
|
heap-buffer-overflow on address 0x61700002918d
Reported by
marcin.t...@gmail.com,
Apr 10 2016
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Steps to reproduce the problem:
1. Open pdfium_test_crash.pdf in the browser
What is the expected behavior?
What went wrong?
component:Internals>Plugins>PDF
ASAN information with llvm-symbolizer, the "summary" part could not finish:
=================================================================
==5446==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700002918d at pc 0x55d1c301bc8c bp 0x7ffeae93db10 sp 0x7ffeae93d2c0
READ of size 3 at 0x61700002918d thread T0 (chrome)
#0 0x55d1c301bc8b in __asan_memcpy ??:?
#1 0x7fe77cb4fc1b in ?? third_party/freetype2/src/src/psaux/psobjs.c:216:5
#2 0x7fe77cb2dbae in ?? third_party/freetype2/src/src/type1/t1load.c:1297:34
#3 0x7fe77cb2b74b in ?? third_party/freetype2/src/src/type1/t1load.c:937:7
#4 0x7fe77cb2665e in ?? third_party/freetype2/src/src/type1/t1load.c:1995:38
#5 0x7fe77cb21b50 in ?? third_party/freetype2/src/src/type1/t1load.c:2103:13
#6 0x7fe77cb1445f in ?? third_party/freetype2/src/src/type1/t1objs.c:321:13
#7 0x7fe77c9c99e7 in ?? third_party/freetype2/src/src/base/ftobjs.c:1149:15
#8 0x7fe77c9c74ab in ?? third_party/freetype2/src/src/base/ftobjs.c:2126:19
#9 0x7fe77c9c928e in ?? third_party/freetype2/src/src/base/ftobjs.c:1238:12
#10 0x55d1d2d4e155 in ?? third_party/pdfium/core/fxge/ge/fx_ge_fontmap.cpp:600:7
#11 0x55d1d2d47213 in ?? third_party/pdfium/core/fxge/ge/fx_ge_font.cpp:238:12
#12 0x55d1d28855b1 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_font.cpp:241:8
#13 0x55d1d29ade27 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_simplefont.cpp:111:5
#14 0x55d1d288df2e in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_type1font.cpp:102:10
#15 0x55d1d2887c23 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_font.cpp:383:8
#16 0x55d1d28b1a89 in GetFont third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_doc.cpp:249:22
#17 0x55d1d29faa30 in ?? third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1287:22
#18 0x55d1d29ef218 in Handle_SetFont third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1244:22
#19 0x55d1d29f3d39 in OnOperator third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:491:5
#20 0x55d1d29f8a77 in Parse third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1656:9
#21 0x55d1d28cb6ae in Continue third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:846:13
#22 0x55d1d28aea60 in ContinueParse third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:28:3
#23 0x55d1d279dc72 in ?? third_party/pdfium/fpdfsdk/fpdfview.cpp:508:3
#24 0x55d1c44aaa2b in ?? pdf/pdfium/pdfium_page.cc:153:13
#25 0x55d1c4475e8a in FinishLoadingDocument pdf/pdfium/pdfium_engine.cc:1118:26
#26 0x55d1c44909f8 in ContinueLoadingDocument pdf/pdfium/pdfium_engine.cc:2515:5
#27 0x55d1c4473baa in LoadDocument pdf/pdfium/pdfium_engine.cc:2407:5
#28 0x55d1c44757e4 in ?? pdf/pdfium/pdfium_engine.cc:1084:5
#29 0x55d1c44b8e99 in ReadComplete pdf/document_loader.cc:522:5
#30 0x55d1c44bc84f in DidRead pdf/document_loader.cc:496:5
#31 0x55d1c44be9bd in ?? ppapi/utility/completion_callback_factory.h:607:9
#32 0x55d1c44be719 in ?? ppapi/utility/completion_callback_factory.h:584:7
#33 0x55d1cc75f476 in ?? ppapi/shared_impl/proxy_lock.h:135:10
#34 0x55d1cc75e288 in ?? ppapi/shared_impl/tracked_callback.cc:141:7
#35 0x55d1d113fc80 in ?? ppapi/proxy/url_loader_resource.cc:363:3
#36 0x55d1d113f7d5 in ?? ppapi/proxy/url_loader_resource.cc:311:5
#37 0x55d1d113ecf2 in OnReplyReceived ppapi/proxy/url_loader_resource.cc:249:5
#38 0x55d1d101f523 in ?? ppapi/proxy/plugin_message_filter.cc:116:3
#39 0x55d1d1021420 in ?? base/bind_internal.h:311:5
#40 0x55d1c4756470 in ?? base/debug/task_annotator.cc:51:3
#41 0x55d1c45bd669 in ?? base/message_loop/message_loop.cc:479:3
#42 0x55d1c45be58d in DeferOrRunPendingTask base/message_loop/message_loop.cc:488:5
#43 0x55d1c45bec85 in DoWork base/message_loop/message_loop.cc:600:13
#44 0x55d1c45cc1e2 in ?? base/message_loop/message_pump_default.cc:33:21
#45 0x55d1c45bcb84 in RunHandler base/message_loop/message_loop.cc:443:3
#46 0x55d1c46308c4 in ?? base/run_loop.cc:35:3
#47 0x55d1c45ba2f8 in ?? base/message_loop/message_loop.cc:295:3
#48 0x55d1d33ab486 in PpapiPluginMain content/ppapi_plugin/ppapi_plugin_main.cc:162:3
#49 0x55d1c445b860 in RunZygote content/app/content_main_runner.cc:306:14
#50 0x55d1c445cd5f in RunNamedProcessTypeMain content/app/content_main_runner.cc:389:12
#51 0x55d1c445ffc5 in ?? content/app/content_main_runner.cc:742:12
#52 0x55d1c445a95d in ContentMain content/app/content_main.cc:20:15
#53 0x55d1c305dd0c in ?? chrome/app/chrome_main.cc:84:12
#54 0x7fe7776cdec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
0x61700002918d is located 0 bytes to the right of 653-byte region [0x617000028f00,0x61700002918d)
allocated by thread T0 (chrome) here:
#0 0x55d1c3032621 in __interceptor_calloc ??:?
#1 0x55d1d27ade21 in ?? third_party/pdfium/core/fxcrt/include/fx_memory.h:39:22
#2 0x55d1d2d471d8 in ?? third_party/pdfium/core/fxge/ge/fx_ge_font.cpp:236:27
#3 0x55d1d28855b1 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_font.cpp:241:8
#4 0x55d1d29ade27 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_simplefont.cpp:111:5
#5 0x55d1d288df2e in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_type1font.cpp:102:10
#6 0x55d1d2887c23 in ?? third_party/pdfium/core/fpdfapi/fpdf_font/cpdf_font.cpp:383:8
#7 0x55d1d28b1a89 in GetFont third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_doc.cpp:249:22
#8 0x55d1d29faa30 in ?? third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1287:22
#9 0x55d1d29ef218 in Handle_SetFont third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1244:22
#10 0x55d1d29f3d39 in OnOperator third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:491:5
#11 0x55d1d29f8a77 in Parse third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1656:9
#12 0x55d1d28cb6ae in Continue third_party/pdfium/core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:846:13
#13 0x55d1d28aea60 in ContinueParse third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:28:3
#14 0x55d1d279dc72 in ?? third_party/pdfium/fpdfsdk/fpdfview.cpp:508:3
#15 0x55d1c44aaa2b in ?? pdf/pdfium/pdfium_page.cc:153:13
#16 0x55d1c4475e8a in FinishLoadingDocument pdf/pdfium/pdfium_engine.cc:1118:26
#17 0x55d1c44909f8 in ContinueLoadingDocument pdf/pdfium/pdfium_engine.cc:2515:5
Did this work before? N/A
Chrome version: 52.0.2705.0 (Developer Build) (64-bit) Channel: n/a
OS Version: 14.04
Flash Version:
component:Internals>Plugins>PDF
,
Apr 11 2016
,
Apr 11 2016
Thanks for the report. Chrome on Linux usually links with system freetype, which we cannot control. In this case (ASan build), Chrome uses the bundled freetype, but this is not the case in official builds.
,
Jul 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by marcin.t...@gmail.com
, Apr 10 2016