Issue metadata
Sign in to add a comment
|
Security: SEGV on unknown address 0x559e12793e60
Reported by
marcin.t...@gmail.com,
Apr 10 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
SEGV on unknown address 0x559e12793e60
VERSION
Chrome Version: asan-symbolized-linux-release-386315
Operating System: Ubuntu 14.04
REPRODUCTION CASE
1. Open pdf_crash1.pdf in the browser
2. Wait for crashg without ASAN
3. Hit refresh button in browser and crash with ASAN
Asan info:
==26330==ERROR: AddressSanitizer: SEGV on unknown address 0x559e12793e60 (pc 0x559d8bc55284 bp 0x7fff851cfca0 sp 0x7fff851cfbc0 T0)
==26330==The signal is caused by a READ memory access.
#0 0x559d8bc55283 in ?? third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1572:21
#1 0x559d8bc54955 in LookUpGlyphBitmap third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1305:35
#2 0x559d8bc5281c in ?? third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1361:10
#3 0x559d8bc43b8b in DrawNormalText third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:306:24
#4 0x559d8b876811 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:727:10
#5 0x559d8b872293 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:319:10
#6 0x559d8b81fb1d in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:396:14
#7 0x559d8b8202d9 in ContinueSingleObject third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:339:3
#8 0x559d8b8295b3 in Continue third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1103:13
#9 0x559d8b828903 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1064:3
#10 0x559d8b67ab06 in ?? third_party/pdfium/fpdfsdk/fpdfview.cpp:935:3
#11 0x559d8b6891d4 in ?? third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:61:3
#12 0x559d7d34be61 in ContinuePaint pdf/pdfium/pdfium_engine.cc:2711:10
#13 0x559d7d34a72b in Paint pdf/pdfium/pdfium_engine.cc:958:11
#14 0x559d7d3a938e in OnPaint pdf/out_of_process_instance.cc:719:7
#15 0x559d7d3c0702 in DoPaint pdf/paint_manager.cc:204:3
#16 0x559d7d3c2720 in ?? pdf/paint_manager.cc:291:5
#17 0x559d7d3c316d in ?? ppapi/utility/completion_callback_factory.h:607:9
#18 0x559d7d3c2ec9 in ?? ppapi/utility/completion_callback_factory.h:584:7
#19 0x559d8563b476 in ?? ppapi/shared_impl/proxy_lock.h:135:10
#20 0x559d8563a288 in ?? ppapi/shared_impl/tracked_callback.cc:141:7
#21 0x559d89edc86b in ?? base/bind_internal.h:311:5
#22 0x559d89efe11f in OnReplyReceived ppapi/proxy/plugin_resource.cc:54:5
#23 0x559d89efb523 in ?? ppapi/proxy/plugin_message_filter.cc:116:3
#24 0x559d89efd420 in ?? base/bind_internal.h:311:5
#25 0x559d7d632470 in ?? base/debug/task_annotator.cc:51:3
#26 0x559d7d499669 in ?? base/message_loop/message_loop.cc:479:3
#27 0x559d7d49a58d in DeferOrRunPendingTask base/message_loop/message_loop.cc:488:5
#28 0x559d7d49ac85 in DoWork base/message_loop/message_loop.cc:600:13
#29 0x559d7d4a81e2 in ?? base/message_loop/message_pump_default.cc:33:21
#30 0x559d7d498b84 in RunHandler base/message_loop/message_loop.cc:443:3
#31 0x559d7d50c8c4 in ?? base/run_loop.cc:35:3
#32 0x559d7d4962f8 in ?? base/message_loop/message_loop.cc:295:3
#33 0x559d8c287486 in PpapiPluginMain content/ppapi_plugin/ppapi_plugin_main.cc:162:3
#34 0x559d7d337860 in RunZygote content/app/content_main_runner.cc:306:14
#35 0x559d7d338d5f in RunNamedProcessTypeMain content/app/content_main_runner.cc:389:12
#36 0x559d7d33bfc5 in ?? content/app/content_main_runner.cc:742:12
#37 0x559d7d33695d in ContentMain content/app/content_main.cc:20:15
#38 0x559d7bf39d0c in ?? chrome/app/chrome_main.cc:84:12
#39 0x7f319e879ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/xgx/Downloads/asan-symbolized-linux-release-386315/chrome+0x12a51283)
==26330==ABORTING
ASAN:DEADLYSIGNAL
=================================================================
==26361==ERROR: AddressSanitizer: SEGV on unknown address 0x559e12793e60 (pc 0x559d8bc55284 bp 0x7fff851cfca0 sp 0x7fff851cfbc0 T0)
==26361==The signal is caused by a READ memory access.
#0 0x559d8bc55283 in ?? third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1572:21
#1 0x559d8bc54955 in LookUpGlyphBitmap third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1305:35
#2 0x559d8bc5281c in ?? third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:1361:10
#3 0x559d8bc43b8b in DrawNormalText third_party/pdfium/core/fxge/ge/fx_ge_text.cpp:306:24
#4 0x559d8b876811 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:727:10
#5 0x559d8b872293 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render_text.cpp:319:10
#6 0x559d8b81fb1d in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:396:14
#7 0x559d8b8202d9 in ContinueSingleObject third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:339:3
#8 0x559d8b8295b3 in Continue third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1103:13
#9 0x559d8b828903 in ?? third_party/pdfium/core/fpdfapi/fpdf_render/fpdf_render.cpp:1064:3
#10 0x559d8b67ab06 in ?? third_party/pdfium/fpdfsdk/fpdfview.cpp:935:3
#11 0x559d8b6891d4 in ?? third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:61:3
#12 0x559d7d34be61 in ContinuePaint pdf/pdfium/pdfium_engine.cc:2711:10
#13 0x559d7d34a72b in Paint pdf/pdfium/pdfium_engine.cc:958:11
#14 0x559d7d3a938e in OnPaint pdf/out_of_process_instance.cc:719:7
#15 0x559d7d3c0702 in DoPaint pdf/paint_manager.cc:204:3
#16 0x559d7d3c2720 in ?? pdf/paint_manager.cc:291:5
#17 0x559d7d3c316d in ?? ppapi/utility/completion_callback_factory.h:607:9
#18 0x559d7d3c2ec9 in ?? ppapi/utility/completion_callback_factory.h:584:7
#19 0x559d8563b476 in ?? ppapi/shared_impl/proxy_lock.h:135:10
#20 0x559d8563a288 in ?? ppapi/shared_impl/tracked_callback.cc:141:7
#21 0x559d89edc86b in ?? base/bind_internal.h:311:5
#22 0x559d89efe11f in OnReplyReceived ppapi/proxy/plugin_resource.cc:54:5
#23 0x559d89efb523 in ?? ppapi/proxy/plugin_message_filter.cc:116:3
#24 0x559d89efd420 in ?? base/bind_internal.h:311:5
#25 0x559d7d632470 in ?? base/debug/task_annotator.cc:51:3
#26 0x559d7d499669 in ?? base/message_loop/message_loop.cc:479:3
#27 0x559d7d49a58d in DeferOrRunPendingTask base/message_loop/message_loop.cc:488:5
#28 0x559d7d49ac85 in DoWork base/message_loop/message_loop.cc:600:13
#29 0x559d7d4a81e2 in ?? base/message_loop/message_pump_default.cc:33:21
#30 0x559d7d498b84 in RunHandler base/message_loop/message_loop.cc:443:3
,
Apr 11 2016
,
Jul 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Apr 11 2016Labels: Security_Severity-Medium M-51 Security_Impact-Stable OS-All Pri-1
Owner: och...@chromium.org
Status: Assigned (was: Unconfirmed)