Issue metadata
Sign in to add a comment
|
Security: PDFium: Out-of-Bounds Read in CXFA_Document::GetScriptContext
Reported by
stackexp...@gmail.com,
May 30 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The attached PDF document could crash windows_asan_pdfium.
D:\Downloads\asan-win32-release-396634>pdfium_test.exe poc.pdf
Rendering PDF file poc.pdf.
=================================================================
==13812==ERROR: AddressSanitizer: global-buffer-overflow on address 0x045f8440 at pc 0x0213c5d0 bp 0xdeadbeef sp 0x0030c238
READ of size 4 at 0x045f8440 thread T0
#0 0x213c5cf in CXFA_Document::GetScriptContext(void)
C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_imp.cpp:240:8
#1 0x219e653 in CXFA_ScriptContext::NormalPropTypeGetter(class CFXJSE_Value *,class CFX_StringCTemplate<char> const &,int)
C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp:365:52
#2 0x23b8b85 in FXJSE_V8_GenericNamedPropertyGetterCallback
C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxjse\dynprop.cpp:167:30
#3 0x1d5dade in v8::internal::PropertyCallbackArguments::Call(void (*)(class v8::Local<class v8::Name>,class v8::PropertyCallbackInfo<class
v8::Value> const &),class v8::internal::Handle<class v8::internal::Name>) C:\b\build\slave\Win_ASan_Release\build\src\v8\src\api-arguments.h:129:3
#4 0x30655ac in v8::internal::JSObject::GetPropertyWithInterceptor(class v8::internal::LookupIterator *,bool *)
C:\b\build\slave\Win_ASan_Release\build\src\v8\src\objects.cc:15198:19
#5 0x30625a6 in v8::internal::Object::GetProperty(class v8::internal::LookupIterator *)
C:\b\build\slave\Win_ASan_Release\build\src\v8\src\objects.cc:834:9
#6 0x1cfb85d in v8::internal::LoadIC::Load(class v8::internal::Handle<class v8::internal::Object>,class v8::internal::Handle<class
v8::internal::Name>) C:\b\build\slave\Win_ASan_Release\build\src\v8\src\ic\ic.cc:654:5
#7 0x1d23c2d in v8::internal::Runtime_LoadIC_Miss(int,class v8::internal::Object * *,class v8::internal::Isolate *)
C:\b\build\slave\Win_ASan_Release\build\src\v8\src\ic\ic.cc:2256
0x045f8440 is located 12 bytes to the right of global variable 'switch.table' defined in '..\..\third_party\pdfium\core\fxcrt\fx_bidi.cpp' (0x45f8420) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_imp.cpp:240:8 in CXFA_Document::GetScriptContext(void)
Shadow bytes around the buggy address:
0x308bf030: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x308bf080: 00 00 00 00 00 00 04 f9[f9]f9 f9 f9 00 00 00 00
0x308bf090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf0b0: 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
0x308bf0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x308bf0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13812==ABORTING
VERSION
Chrome Version: asan-win32-release-396634
Operating System: Windows 7 SP1 64 bit
REPRODUCTION CASE
See attachment.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]
,
May 31 2016
Oliver, can you please triage? Thanks.
,
May 31 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6345648035332096
,
May 31 2016
I verified locally that this no longer reproduces after Tom's fix for bug 613607 .
,
May 31 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6345648035332096 Uploader: ochang@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Global-buffer-overflow READ 2 Crash Address: 0x000003eddb6c Crash State: XFA_GetMethodByName CXFA_ScriptContext::NormalPropTypeGetter FXJSE_V8_GenericNamedPropertyGetterCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Minimized Testcase (332.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QHCSmL85PwqU7AQuebFVlpBRnkYt0q-xSMW4imO9qxduEjRQip5oOhOFWgu5h15MJZQB5vxXU8G275HAd9jIl3wVesE9bIJostGQJuvqlN1prB0T_Q1pbqEUY17CobESBSnj0w39VC07mt9tKLK-Qr0AL72BezyroRx6gYx4SczuK2Ac See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 2 2016
ClusterFuzz has detected this issue as fixed in range 397239:397396. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6345648035332096 Uploader: ochang@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Global-buffer-overflow READ 2 Crash Address: 0x000003eddb6c Crash State: XFA_GetMethodByName CXFA_ScriptContext::NormalPropTypeGetter FXJSE_V8_GenericNamedPropertyGetterCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=397239:397396 Minimized Testcase (332.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96QHCSmL85PwqU7AQuebFVlpBRnkYt0q-xSMW4imO9qxduEjRQip5oOhOFWgu5h15MJZQB5vxXU8G275HAd9jIl3wVesE9bIJostGQJuvqlN1prB0T_Q1pbqEUY17CobESBSnj0w39VC07mt9tKLK-Qr0AL72BezyroRx6gYx4SczuK2Ac See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 8 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted