Issue metadata
Sign in to add a comment
|
global-buffer-overflow on address 0x000004efea4b
Reported by
marcin.t...@gmail.com,
Apr 10 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
global-buffer-overflow pdfium.
VERSION
Operating System:Ubuntu 14.04 LTS
!IMPORTANT
Pdfium crashed on debug build with asan=1, pulled through gsync on : Apr 10 17:50 .
Everything was build with ninja.
REPRODUCTION CASE
Asan info :
=================================================================
==17322==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000004efea4b at pc 0x000001434518 bp 0x7fffc31280f0 sp 0x7fffc31280e8
READ of size 1 at 0x000004efea4b thread T0
#0 0x1434517 in RenderGlyph /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1572:21
#1 0x1433af2 in LookUpGlyphBitmap /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1305:35
#2 0x142ce55 in LoadGlyphBitmap /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1361:10
#3 0x1415f46 in DrawNormalText /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:306:24
#4 0xa99bc8 in DrawNormalText /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:727:10
#5 0xa93836 in ProcessText /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:319:10
#6 0x9ed16d in ProcessObjectNoClip /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:396:14
#7 0x9ee7f4 in ContinueSingleObject /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:339:3
#8 0x9fec32 in Continue /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1103:13
#9 0x9fce81 in Start /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1064:3
#10 0x52dd5c in FPDF_RenderPage_Retail /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:935:3
#11 0x52c75f in FPDF_RenderPageBitmap /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:668:3
#12 0x4ebf7d in RenderPage /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/samples/pdfium_test.cc:448:3
#13 0x4ef217 in RenderPdf /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/samples/pdfium_test.cc:626:9
#14 0x4f0a52 in main /home/mtowalski/chromium/src/out/Debug/../../third_party/pdfium/samples/pdfium_test.cc:748:7
#15 0x7f9a73894ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
0x000004efea4b is located 21 bytes to the left of global variable '' defined in '../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp' (0x4efea60) of size 53
'' is ascii string '../../third_party/pdfium/core/fxge/ge/fx_ge_text.cpp'
0x000004efea4b is located 42 bytes to the right of global variable '<string literal>' defined in '../../third_party/pdfium/core/fxcrt/include/fx_string.h:172:71' (0x4efea20) of size 1
'<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/mtowalski/chromium/src/out/Debug/pdfium_test+0x1434517)
Shadow bytes around the buggy address:
0x0000809d7cf0: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000809d7d00: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 07 f9 f9
0x0000809d7d10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 05 f9
0x0000809d7d20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 03 f9 f9
0x0000809d7d30: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 f9
=>0x0000809d7d40: f9 f9 f9 f9 01 f9 f9 f9 f9[f9]f9 f9 00 00 00 00
0x0000809d7d50: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000809d7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000809d7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000809d7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000809d7d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17322==ABORTING
,
Apr 11 2016
,
Jul 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Apr 11 2016Labels: Security_Severity-High Security_Impact-Stable OS-All Pri-1
Owner: och...@chromium.org
Status: Assigned (was: Unconfirmed)