Issue metadata
Sign in to add a comment
|
Security: PDFium Out-Of-Bounds Read in XFA
Reported by
stackexp...@gmail.com,
May 27 2016
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
There is an oob read issue in pdfium.
And this issue may not be stable, it can be happened at multi places.
I see that XFA has been supported in Chrome 52.0.2743.10 dev-m.
So I think this is a security issue and must be fixed.
I found this issue with self-developed fuzzer.
I thought the issue was caused by the malformed PDF file.
But I found out that the original normal seed file could crash pdfium_test directly after I made some difference reduction work.
Firstly, let's have a look at some code that this issue could be happened at.
-------------- CASE 1 --------------
pdfium_test!CXFA_ScriptContext::GlobalPropertyGetter+0x4c
[e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 213]
void CXFA_ScriptContext::GlobalPropertyGetter(CFXJSE_Value* pObject,
const CFX_ByteStringC& szPropName,
CFXJSE_Value* pValue) {
CXFA_Object* pOriginalObject =
(CXFA_Object*)FXJSE_Value_ToObject(pObject, nullptr);
CXFA_Document* pDoc = pOriginalObject->GetDocument();
CXFA_ScriptContext* lpScriptContext =
(CXFA_ScriptContext*)pDoc->GetScriptContext();
CXFA_Object* lpCurNode = lpScriptContext->GetVariablesThis(pOriginalObject);
CFX_WideString wsPropName = CFX_WideString::FromUTF8(szPropName);
if (lpScriptContext->GetType() == XFA_SCRIPTLANGTYPE_Formcalc) { <---------------- CRASHED
-------------- CASE 2 --------------
pdfium_test!CXFA_Object::IsNode
[e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_object.h @ 54]
bool IsNode() const {
return (m_uFlags & XFA_OBJECTTYPEMASK) >= XFA_OBJECTTYPE_Node; <---------------- CRASHED
}
-------------- CASE 3 --------------
pdfium_test!CXFA_Document::GetXFAObject+0x169
[e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_document_imp.cpp @ 152]
default:
return m_pRootNode->GetFirstChildByName(dwNodeNameHash); <---------------- CRASHED
}
-------------- CASE 4 --------------
pdfium_test!CXFA_FFDoc::GetDocProvider
[e:\pdfiumdev\repo\pdfium\xfa\fxfa\include\xfa_ffdoc.h @ 31]
class CXFA_FFDoc {
public:
CXFA_FFDoc(CXFA_FFApp* pApp, IXFA_DocProvider* pDocProvider);
~CXFA_FFDoc();
IXFA_DocProvider* GetDocProvider() { return m_pDocProvider; } <---------------- CRASHED
Secondly, let's take one for example. Here I'll post some information about CASE 2.
-------------------------------
Exception Information
-------------------------------
(19d8.2f50): Access violation - code c0000005 (!!! second chance !!!)
eax=0108eac0 ebx=00650073 ecx=3a108a0c edx=04891078 esi=303eafe8 edi=00000000
eip=0050d60b esp=0108eaa4 ebp=0108eac4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
pdfium_test!CXFA_Object::IsNode [inlined in pdfium_test!CXFA_ScriptContext::GlobalPropertyGetter+0xdb]:
0050d60b 8b4104 mov eax,dword ptr [ecx+4] ds:002b:3a108a10=????????
-------------------------------
Stack Trace Information
-------------------------------
0:000> k
pdfium_test!CXFA_Object::IsNode [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_object.h @ 54]
pdfium_test!CXFA_Object::AsNode+0x6 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_object.h @ 765]
pdfium_test!ToNode+0x6 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_object.h @ 786]
pdfium_test!CXFA_ScriptContext::GlobalPropertyGetter+0xdb [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 231]
pdfium_test!FXJSE_DynPropGetterAdapter+0x115 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\dynprop.cpp @ 47]
pdfium_test!FXJSE_V8_GenericNamedPropertyGetterCallback+0xb1 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\dynprop.cpp @ 169]
pdfium_test!v8::internal::PropertyCallbackArguments::Call+0x7e [e:\pdfiumdev\repo\pdfium\v8\src\api-arguments.h @ 128]
pdfium_test!v8::internal::JSObject::GetPropertyWithInterceptor+0x12f [e:\pdfiumdev\repo\pdfium\v8\src\objects.cc @ 15573]
pdfium_test!v8::internal::Object::GetProperty+0x2d [e:\pdfiumdev\repo\pdfium\v8\src\objects.cc @ 729]
pdfium_test!v8::internal::LoadIC::Load+0x312 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 652]
pdfium_test!v8::internal::__RT_impl_Runtime_LoadIC_Miss+0x135 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 2044]
pdfium_test!v8::internal::Runtime_LoadIC_Miss+0x162 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 2025]
not in any known module. Following frames may be wrong.
0x3fb0b77e
pdfium_test!v8::internal::`anonymous namespace'::Invoke+0xf0 [e:\pdfiumdev\repo\pdfium\v8\src\execution.cc @ 97]
pdfium_test!v8::internal::Execution::Call+0x130 [e:\pdfiumdev\repo\pdfium\v8\src\execution.cc @ 153]
pdfium_test!v8::Script::Run+0x1e4 [e:\pdfiumdev\repo\pdfium\v8\src\api.cc @ 1797]
pdfium_test!v8::Script::Run+0x3b [e:\pdfiumdev\repo\pdfium\v8\src\api.cc @ 1811]
pdfium_test!CFXJSE_Context::ExecuteScript+0x68 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\context.cpp @ 169]
pdfium_test!FXJSE_ExecuteScript+0x14 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\context.cpp @ 75]
pdfium_test!CXFA_ScriptContext::RunVariablesScript+0x106 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 483]
pdfium_test!CXFA_ScriptContext::GetJSValueFromMap+0x25 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 729]
pdfium_test!CXFA_ScriptContext::QueryNodeByFlag+0x6c [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 191]
pdfium_test!CXFA_ScriptContext::GlobalPropertyGetter+0x11e [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 235]
pdfium_test!FXJSE_DynPropGetterAdapter+0x115 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\dynprop.cpp @ 47]
pdfium_test!FXJSE_V8_GenericNamedPropertyGetterCallback+0xb1 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\dynprop.cpp @ 169]
pdfium_test!v8::internal::PropertyCallbackArguments::Call+0x7e [e:\pdfiumdev\repo\pdfium\v8\src\api-arguments.h @ 128]
pdfium_test!v8::internal::JSObject::GetPropertyWithInterceptor+0x12f [e:\pdfiumdev\repo\pdfium\v8\src\objects.cc @ 15573]
pdfium_test!v8::internal::Object::GetProperty+0x2d [e:\pdfiumdev\repo\pdfium\v8\src\objects.cc @ 729]
pdfium_test!v8::internal::LoadIC::Load+0x312 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 652]
pdfium_test!v8::internal::__RT_impl_Runtime_LoadIC_Miss+0x135 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 2044]
pdfium_test!v8::internal::Runtime_LoadIC_Miss+0x162 [e:\pdfiumdev\repo\pdfium\v8\src\ic\ic.cc @ 2025]
0x3fb0b77e
pdfium_test!v8::internal::`anonymous namespace'::Invoke+0xf0 [e:\pdfiumdev\repo\pdfium\v8\src\execution.cc @ 97]
pdfium_test!v8::internal::Execution::Call+0x130 [e:\pdfiumdev\repo\pdfium\v8\src\execution.cc @ 153]
pdfium_test!v8::Function::Call+0x18d [e:\pdfiumdev\repo\pdfium\v8\src\api.cc @ 4532]
pdfium_test!v8::Function::Call+0x34 [e:\pdfiumdev\repo\pdfium\v8\src\api.cc @ 4543]
pdfium_test!CFXJSE_Context::ExecuteScript+0x101 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\context.cpp @ 195]
pdfium_test!FXJSE_ExecuteScript+0x14 [e:\pdfiumdev\repo\pdfium\xfa\fxjse\context.cpp @ 75]
pdfium_test!CXFA_ScriptContext::RunScript+0x13b [e:\pdfiumdev\repo\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp @ 141]
pdfium_test!CXFA_WidgetAcc::ExecuteScript+0x129 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 653]
pdfium_test!CXFA_WidgetAcc::ProcessEvent+0x5f [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 328]
pdfium_test!CXFA_WidgetAcc::ProcessEvent+0xcd [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 310]
pdfium_test!XFA_ProcessEvent+0x5b [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp @ 430]
pdfium_test!CXFA_FFDocView::ExecEventActivityByDeepFirst+0x123 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp @ 478]
pdfium_test!CXFA_FFDocView::ExecEventActivityByDeepFirst+0xc5 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp @ 465]
pdfium_test!CXFA_FFDocView::InitLayout+0x17 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp @ 73]
pdfium_test!CXFA_FFDocView::StartLayout+0x87 [e:\pdfiumdev\repo\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp @ 90]
pdfium_test!CPDFXFA_Document::LoadXFADoc+0xb9 [e:\pdfiumdev\repo\pdfium\fpdfsdk\fpdfxfa\fpdfxfa_doc.cpp @ 124]
pdfium_test!FPDF_LoadXFA+0xf [e:\pdfiumdev\repo\pdfium\fpdfsdk\fpdfview.cpp @ 381]
pdfium_test!RenderPdf+0x266 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 668]
pdfium_test!main+0x42e [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 836]
pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b
VERSION
PDFium: latest master version built with VS2015.
Chrome Version: [52.0.2743.10] + [dev]
Operating System: Windows 7
REPRODUCTION CASE
See attachment.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
,
May 27 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6310941478354944 Uploader: meacer@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Global-buffer-overflow READ 2 Crash Address: 0x000003ee372c Crash State: XFA_GetMethodByName CXFA_ScriptContext::NormalPropTypeGetter FXJSE_V8_GenericNamedPropertyGetterCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Minimized Testcase (332.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9688O090sgZAiUFWKtPB5s44XxZ9cEE2MKvYnCYYRJCJt_Y25eugFkODfodcFdJiPqnTgANZv0V8S8rglDZB-wqPLV_Y8JJBeDQ0q2i0GHqTTYZS5RfCLIkjZsoTr7ij54KeXexlmQJ9iKPyfei9Lg23fQmiWGYCyAicWr89MYsTwIgCT0 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 27 2016
,
May 27 2016
@stackexploit: Sorry, clusterfuzz was faster this time :)
,
May 28 2016
@meacer: in fact, i submitted a issue a long time ago but you did not fix it. Now I submitted it again but you told me it's a duplicate. I'm sad to hear that. For more details, please click Issue 591006. https://bugs.chromium.org/p/chromium/issues/detail?id=591006
,
Jun 3 2016
ClusterFuzz has detected this issue as fixed in range 397239:397396. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6310941478354944 Uploader: meacer@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Global-buffer-overflow READ 2 Crash Address: 0x000003ee372c Crash State: XFA_GetMethodByName CXFA_ScriptContext::NormalPropTypeGetter FXJSE_V8_GenericNamedPropertyGetterCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=397239:397396 Minimized Testcase (332.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9688O090sgZAiUFWKtPB5s44XxZ9cEE2MKvYnCYYRJCJt_Y25eugFkODfodcFdJiPqnTgANZv0V8S8rglDZB-wqPLV_Y8JJBeDQ0q2i0GHqTTYZS5RfCLIkjZsoTr7ij54KeXexlmQJ9iKPyfei9Lg23fQmiWGYCyAicWr89MYsTwIgCT0 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 8 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 27 2016