Security: UNKNOWN in CXFA_ScriptContext::GlobalPropertyGetter
Reported by
chromium...@gmail.com,
May 23 2016
|
||
Issue descriptionVERSION Chrome Version: 53.0.2745.0 canary Operating System: Windows 7 REPRODUCTION CASE 1. Open testcase.pdf on chrome 2. Crash! FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION eax=0025d900 ebx=037b6bf0 ecx=00000000 edx=8bb4458d esi=58e1264c edi=00000000 eip=5a9d2930 esp=0025d8d8 ebp=0025d8d8 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!ToNode+0xc: 5a9d2930 8b4204 mov eax,dword ptr [edx+4] ds:0023:8bb44591=???????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr 0025d8d8 5a9f7005 chrome_child!ToNode+0xc [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_object.h @ 786] 0025d904 5aa4a7a6 chrome_child!CXFA_ScriptContext::GlobalPropertyGetter+0xb1 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 187] 0025d93c 5aa4aacc chrome_child!FXJSE_DynPropGetterAdapter+0xf7 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxjse\dynprop.cpp @ 48] 0025d978 58fc202c chrome_child!FXJSE_V8_GenericNamedPropertyGetterCallback+0x81 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxjse\dynprop.cpp @ 177] 0025d9c4 591024f2 chrome_child!v8::internal::PropertyCallbackArguments::Call+0x89 [c:\b\build\slave\win\build\src\v8\src\api-arguments.h @ 129] 0025da2c 58fc18ef chrome_child!v8::internal::JSObject::GetPropertyWithInterceptor+0x166 [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 15076] 0025da60 58fe506a chrome_child!v8::internal::Object::GetProperty+0x3f [c:\b\build\slave\win\build\src\v8\src\objects.cc @ 834] 0025db1c 58fe497a chrome_child!v8::internal::LoadIC::Load+0x33b [c:\b\build\slave\win\build\src\v8\src\ic\ic.cc @ 654] 0025dc1c 0025dc44 chrome_child!v8::internal::Runtime_LoadIC_Miss+0x1a5 [c:\b\build\slave\win\build\src\v8\src\ic\ic.cc @ 2256] WARNING: Frame IP not in any known module. Following frames may be wrong. 0025dd1c 58fe457a <Unloaded_㮷晓⠫㋝慸㵋᫉໖꜔獫㝣⊻놺㳔肧㤋㹠⛢ퟨ㊎텬燴䘛糉ᇌ㧙颛ŗㅽ䘏㹠⛢>+0x25dc44 0025dd88 58fe4462 chrome_child!v8::internal::`anonymous namespace'::Invoke+0x10c [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 98] 0025ddc8 590a4e10 chrome_child!v8::internal::Execution::Call+0x132 [c:\b\build\slave\win\build\src\v8\src\execution.cc @ 154] 0025de48 59714646 chrome_child!v8::Function::Call+0x1eb [c:\b\build\slave\win\build\src\v8\src\api.cc @ 4472] 0025de6c 5aa1443f chrome_child!v8::Function::Call+0x34 [c:\b\build\slave\win\build\src\v8\src\api.cc @ 4483] 0025dedc 5aa14793 chrome_child!CFXJSE_Context::ExecuteScript+0x128 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxjse\context.cpp @ 207] 0025def0 5a9f7e42 chrome_child!FXJSE_ExecuteScript+0x14 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxjse\context.cpp @ 88] 0025df2c 5a9da344 chrome_child!CXFA_ScriptContext::RunScript+0x120 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 96] 0025df88 5a9db92d chrome_child!CXFA_WidgetAcc::ExecuteScript+0x107 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 653] 0025dfa4 5a9db998 chrome_child!CXFA_WidgetAcc::ProcessEvent+0x61 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 328] 0025dfd4 5a9e1c6c chrome_child!CXFA_WidgetAcc::ProcessEvent+0x65 [c:\b\build\slave\win\build\src\third_party\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 310]
,
May 23 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4637502212407296
,
May 23 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5896656398057472 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0003bfff8033 Crash State: CXFA_ScriptContext::GlobalPropertyGetter FXJSE_V8_GenericNamedPropertyGetterCallback v8::internal::PropertyCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Minimized Testcase (263.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kH7LjSeo5DDR5xAGH8YFZL62nbj14G03Sxw9wWijPLQaiPZYIr4qeHoV5c9Tsvn0WmxjTul9mTg06jfxJ3SqP6v-BnT6R_W43bfCz2cgA8z2npY9hHWfX-7K-ANeteCV0SrGB6jp0oVfWo06lAdAlWImRYoPe71FmV8p3NTWi-rZmfEQ Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 23 2016
,
Jun 3 2016
ClusterFuzz has detected this issue as fixed in range 397239:397396. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4637502212407296 Uploader: ochang@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0003bfff8033 Crash State: CXFA_ScriptContext::GlobalPropertyGetter FXJSE_V8_GenericNamedPropertyGetterCallback v8::internal::PropertyCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=397239:397396 Minimized Testcase (741.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97-f5DStPkyqJjvQhp8LYSAHqrMjxr1peGttpbLsIEixcs1gYxovqgvMNQQUy2_8wk9c3urlngJVyoAZs1T44OgpSvYO7n1Iz-YkKw46GqHISilYQ0FivK4fB0_lre8RLOnXqb7D9qHZ5piactoQgw2Unpm1k0wm5ZhbngHklGxkBJpskY See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 9 2016
ClusterFuzz has detected this issue as fixed in range 397239:397396. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5896656398057472 Fuzzer: ifratric_pdf_generic Job Type: linux_asan_pdfium Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0003bfff8033 Crash State: CXFA_ScriptContext::GlobalPropertyGetter FXJSE_V8_GenericNamedPropertyGetterCallback v8::internal::PropertyCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=397239:397396 Minimized Testcase (263.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Qu6Arvm4mHUVuJaVxmdlpB-OzYbV4xBFQpIo2sqn2saQNAiCuvL0S3Oh0qqZ0xaTruiZ2IklzXaJfAqrdfeiBHTDk7tpAHu5leCWRXAYcEOgbFO5c4KB5gp6iAw_NSVLNBYiWCY_mhimsuH9pADycAy7ZAIqonT--nBlnBUzCU-Td7eY See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||
►
Sign in to add a comment |
||
Comment 1 by lgar...@chromium.org
, May 23 2016Labels: -Type-Bug-Security Type-Bug
Owner: och...@chromium.org
Status: Assigned (was: Unconfirmed)
110 KB
110 KB View Download