Issue metadata
Sign in to add a comment
|
Security: PDFium: Heap Buffer Overflow in bmp_decode_rle4
Reported by
stackexp...@gmail.com,
Jun 2 2016
|
||||||||||||||||||||||||||||
Issue description
Security: PDFium: Heap Buffer Overflow in bmp_decode_rle4
VULNERABILITY DETAILS
This heap-buffer-overflow vulnerability was caused by the malformed bmp file embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed bmp file in the XFA component.
The latest dev version of chrome (52.0.2743.19 dev-m) was vulnerable to this issue.
---------------------------
Exception Information
---------------------------
(59dc.3ed0): Access violation - code c0000005 (!!! second chance !!!)
eax=096bbec0 ebx=00000004 ecx=00000140 edx=00000000 esi=0a273f38 edi=0a1b5596
eip=012f35f8 esp=002ff2d0 ebp=002ff2e8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
pdfium_test!bmp_decode_rle4+0xd8:
012f35f8 881401 mov byte ptr [ecx+eax],dl ds:002b:096bc000=??
---------------------------
Heap Information
---------------------------
0:000> !heap -p -a eax
address 096bbec0 found in
_DPH_HEAP_ROOT @ 301000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a183ac4: 96bbec0 13c - 96bb000 2000
60d78e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
775db586 ntdll!RtlpAllocateHeap+0x000000c4
77583541 ntdll!RtlAllocateHeap+0x0000023a
0129ded4 pdfium_test!_calloc_base+0x00000047 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\calloc_base.cpp @ 33]
00f4cb7e pdfium_test!FX_AllocOrDie+0x0000000e [core\fxcrt\include\fx_memory.h @ 39]
012f40dd pdfium_test!bmp_read_header+0x000003dd [core\fxcodec\lbmp\fx_bmp.cpp @ 220]
012f1738 pdfium_test!CCodec_BmpModule::ReadHeader+0x00000028 [core\fxcodec\codec\fx_codec_bmp.cpp @ 90]
012ee68d pdfium_test!CCodec_ProgressiveDecoder::DetectImageType+0x0000010d [core\fxcodec\codec\fx_codec_progress.cpp @ 1046]
012efa3f pdfium_test!CCodec_ProgressiveDecoder::LoadImageInfo+0x0000009f [core\fxcodec\codec\fx_codec_progress.cpp @ 1290]
011919e8 pdfium_test!XFA_LoadImageFromBuffer+0x00000078 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1073]
01191927 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0118514b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
011851b1 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0117cfa8 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
00f596b7 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
00f4e73e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
00f45517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
00f45b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
00f4bb1e pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
012805d6 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
7528338a kernel32!BaseThreadInitThunk+0x0000000e
77589a02 ntdll!__RtlUserThreadStart+0x00000070
775899d5 ntdll!_RtlUserThreadStart+0x0000001b
---------------------------
Overflow Information
---------------------------
for (uint8_t i = 0; i < *first_byte_ptr; i++) {
if (i & 0x01) {
*(bmp_ptr->out_row_buffer + bmp_ptr->col_num++) =
(*second_byte_ptr & 0x0F);
} else {
*(bmp_ptr->out_row_buffer + bmp_ptr->col_num++) =
((*second_byte_ptr & 0xF0) >> 4);
}
}
Here the value of |*first_byte_ptr| was 0x330500ff. In other words, the overflow size can be very large.
0:000> u eip
pdfium_test!bmp_decode_rle4+0xd8 [core\fxcodec\lbmp\fx_bmp.cpp @ 599]:
012f35f8 881401 mov byte ptr [ecx+eax],dl
012f35fb fec3 inc bl
012f35fd ff8698000000 inc dword ptr [esi+98h]
012f3603 8b4dfc mov ecx,dword ptr [ebp-4]
012f3606 3a1f cmp bl,byte ptr [edi]
012f3608 72d6 jb pdfium_test!bmp_decode_rle4+0xc0 (012f35e0)
012f360a e931ffffff jmp pdfium_test!bmp_decode_rle4+0x20 (012f3540)
012f360f 3bca cmp ecx,edx
0:000> dv
bmp_ptr = 0x0a273f38
first_byte_ptr = 0x0a1b5596 "???"
second_byte_ptr = 0x0a1b5597 ""
skip_size_org = 0x3ba
delta_ptr = <value unavailable>
bmp_row_num_next = <value unavailable>
i = <value unavailable>
i = 0x04 ''
0:000> dd first_byte_ptr L1
0a1b5596 330500ff
0:000> dd edi L1
0a1b5596 330500ff
---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr
002ff2e8 012f3247 pdfium_test!bmp_decode_rle4+0xd8 [core\fxcodec\lbmp\fx_bmp.cpp @ 599]
002ff2f8 012f1706 pdfium_test!bmp_decode_image+0xb7 [core\fxcodec\lbmp\fx_bmp.cpp @ 316]
002ff304 012edf64 pdfium_test!CCodec_BmpModule::LoadImageW+0x26 [core\fxcodec\codec\fx_codec_bmp.cpp @ 112]
002ff340 01191b22 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x2a4 [core\fxcodec\codec\fx_codec_progress.cpp @ 2145]
002ff3a8 01191927 pdfium_test!XFA_LoadImageFromBuffer+0x1b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
002ff400 0118514b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
002ff434 011851b1 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
002ff440 0120a488 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
002ff448 0117cd83 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
002ff45c 0117cfa8 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
002ff46c 00f59f4d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
002ff49c 00f596b7 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
002ff4b0 00f4e73e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
002ff4c4 00f45517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
002ff5b8 00f45b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
002ff6d4 00f4bb1e pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
002ff810 012805d6 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
002ff85c 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
002ff868 77589a02 kernel32!BaseThreadInitThunk+0xe
002ff8a8 775899d5 ntdll!__RtlUserThreadStart+0x70
002ff8c0 00000000 ntdll!_RtlUserThreadStart+0x1b
---------------------------
PoC Diff
---------------------------
I've already did some difference reduction work. I'll attach the minimized proof-of-concept file.
The value of BITMAPINFORHEADER.biCompression was changed from 0x00000000 to 0x00000002.
VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
Both the original normal bmp file, the malformed bmp file, and the proof-of-concept PDF file were attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5513803030855680
,
Jun 2 2016
,
Jun 3 2016
tsepez@, could you PTAL?
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
hong_zhang, could you please route this security bug to the appropriate person? thanks.
,
Jun 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 7 2016
Updates: The description for variable |first_byte_ptr| was wrong in the original post. The type of this variable was unsigned char*, so here the maximum loop times was 0xFF. -------------- 0:000> db first_byte_ptr L1 0a1b5596 ff 0:000> db edi L1 0a1b5596 ff
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5513803030855680 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x61300000ce7c Crash State: bmp_decode_rle4 CCodec_BmpModule::LoadImage CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Minimized Testcase (11.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96h2V3v5mK0-M3UelP-wINYGa3XAFk-Ob1ULhWXl7zD3h3TyH96x3wm3DeA0N8PidUWRp9LUNqXMWbU_1AHfEinpzis6iSy7NJCSg9yMzuVQ7omhXE9fH2o5sKjsrs_7Gqgo06x92IUUclWLVkEo8UdU0AwJA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 8 2016
Issue 617844 has been merged into this issue.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5513803030855680 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x61300000ce7c Crash State: bmp_decode_rle4 CCodec_BmpModule::LoadImage CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=399086:399117 Minimized Testcase (11.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96h2V3v5mK0-M3UelP-wINYGa3XAFk-Ob1ULhWXl7zD3h3TyH96x3wm3DeA0N8PidUWRp9LUNqXMWbU_1AHfEinpzis6iSy7NJCSg9yMzuVQ7omhXE9fH2o5sKjsrs_7Gqgo06x92IUUclWLVkEo8UdU0AwJA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 13 2016
,
Jun 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 15 2016
[Bulk edit] Per inferno@, Security_Impact=None bugs should not be release blockers.
,
Jun 16 2016
,
Jun 16 2016
,
Jun 16 2016
,
Jun 17 2016
Issue 620771 has been merged into this issue.
,
Jun 17 2016
Issue 620664 has been merged into this issue.
,
Jun 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5843971201040384 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97FrzrfIkU312c0sld18tPf1G7HxYMBZfwWMpiM0XLjVmBmDwF8v4XO8X2CshmOPpym4bXEiTg0oULDk-j1JKeIN4WJ46a7BUF-mvSwsLc_UUfLl6vi2122M14q13bbnuzZcSNIT86o5kuEYBFO0Yny8i2NRA?testcase_id=5843971201040384 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5843971201040384 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97FrzrfIkU312c0sld18tPf1G7HxYMBZfwWMpiM0XLjVmBmDwF8v4XO8X2CshmOPpym4bXEiTg0oULDk-j1JKeIN4WJ46a7BUF-mvSwsLc_UUfLl6vi2122M14q13bbnuzZcSNIT86o5kuEYBFO0Yny8i2NRA?testcase_id=5843971201040384 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4712470149332992 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=398314:399191 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_yoDMQKdr12ak4MHYNJH5E2M0G6RJI6LLTp_uxwaI2CjBckjqOWqterKZIAvDHFK3nDhoMgchQ_lw_NWTLKNYyEVBxz_qj64bN5c_-XpD69uqfkZw2x8wFydkT-R1CDQDhrS9Mh6o1yyexFwFuB1oOyl96Q?testcase_id=4712470149332992 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5189858213756928 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60500000e73f Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96InNHi4gJ_cZFI9OkWk-7HHZXkNxEJ64_-f-zGTkOQe0WupdjJTGrT3PAzwu31dRcx3_Z-fHb1CA104yCYrjqKypfVxHvS4wA-CDTU8M8qoh-6rnfSOQCe4zi6wiDmnQsycpoLDw-87EdVuDYihpwQPuujrQ?testcase_id=5189858213756928 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5538095202304000 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60400000deb1 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96cBpOw6OZhFaZM4qhLtoBTgoVj1FTCLM1YtOQ5prjgSwHX7SSy47tSzA2Iv7NQj7ELFUbQa0sC623wykC3QhkpNot2WB9O_vVWtbRP_Cuz1ArUtsL_HOAfmQnPeMHTlqTQOVwW2XOjHIvW10O2mRl5top_iw?testcase_id=5538095202304000 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5602522563870720 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60300000ef70 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97fzc4cgfLCI75MsZFRk5Pcvd9zCr8j8iRYJKMHehPhaITcFn-XKYFmHmogMSA0YpLjFoKFZUyew7XR2T_OV9FhppyQBwe84HXn_S7ZCBCybYjJvBs2XP6MlamLr33updTcGz3Kmfz2DZw2DdlVcY7VO6PMXA?testcase_id=5602522563870720 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 19 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5151631394209792 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60500000efae Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Low Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Ulp35Hf9Kd-v9QnLZwu-KIuXwPv1Mr6ssXihjZuhfOm2UX3FKGxoRuVyYL4sBfoEgL6Bb1a32-DzpinXcu7uTB_RMNjoAy_dyfathMsOe5RHlus3M4hHXtsVBT3Ai8LKWzNMD5I3INBCh3q6J2CFL8rxcEQ?testcase_id=5151631394209792 Additional requirements: Requires Gestures Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 29 2016
Issue 632855 has been merged into this issue.
,
Sep 1 2016
ClusterFuzz has detected this issue as fixed in range 415514:415565. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4712470149332992 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=398314:399191 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=415514:415565 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_yoDMQKdr12ak4MHYNJH5E2M0G6RJI6LLTp_uxwaI2CjBckjqOWqterKZIAvDHFK3nDhoMgchQ_lw_NWTLKNYyEVBxz_qj64bN5c_-XpD69uqfkZw2x8wFydkT-R1CDQDhrS9Mh6o1yyexFwFuB1oOyl96Q?testcase_id=4712470149332992 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 8 2016
Kindly reminder: this issue is still reproducible.
,
Oct 8 2016
@stackexploit thanks for pointing out
,
Oct 14 2016
,
Dec 5 2016
ClusterFuzz testcase is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 6 2016
==23835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xe62032fc at pc 0x09ee6d0b bp 0xffef1388 sp 0xffef1380
WRITE of size 1 at 0xe62032fc thread T0
#0 0x9ee6d0a in bmp_decode_rle4(tag_bmp_decompress_struct*) core/fxcodec/lbmp/fx_bmp.cpp:600:61
#1 0x9ee0088 in bmp_decode_image(tag_bmp_decompress_struct*) core/fxcodec/lbmp/fx_bmp.cpp:317:16
#2 0x9ed2635 in CCodec_BmpModule::LoadImage(FXBMP_Context*) core/fxcodec/codec/fx_codec_bmp.cpp:112:10
#3 0x9ebcb47 in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2196:39
#4 0x94b5f61 in XFA_LoadImageFromBuffer(IFX_SeekableReadStream*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1167:28
#5 0x94b414f in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, bool&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1095:7
#6 0x94e1903 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
#7 0x94d4431 in CXFA_WidgetAcc::LoadImageImage() xfa/fxfa/app/xfa_ffwidgetacc.cpp:999:9
#8 0x99260ff in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
#9 0x94834c8 in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
#10 0x948364e in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
#11 0x824dac9 in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:411:54
#12 0x8215b4f in CPDFSDK_FormFillEnvironment::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_formfillenvironment.cpp:587:14
#13 0x81d12d9 in (anonymous namespace)::FormHandleToPageView(void*, void*) fpdfsdk/fpdfformfill.cpp:58:39
#14 0x81d5c4d in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:657:37
#15 0x8150ff7 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:590:3
#16 0x815142d in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:604:20
#17 0x8155e1b in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:820:9
#18 0x8159987 in main samples/pdfium_test.cc:955:5
#19 0xf3f69636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
0xe62032fc is located 0 bytes to the right of 316-byte region [0xe62031c0,0xe62032fc)
allocated by thread T0 here:
#0 0x8108e06 in __interceptor_calloc (/home/worker/Desktop/repo/pdfium/out/Debug/pdfium_test+0x8108e06)
#1 0x81f2d5d in FX_AllocOrDie(unsigned int, unsigned int) core/fxcrt/fx_memory.h:40:22
#2 0x9edd03b in bmp_read_header(tag_bmp_decompress_struct*) core/fxcodec/lbmp/fx_bmp.cpp:220:31
#3 0x9ed19fb in CCodec_BmpModule::ReadHeader(FXBMP_Context*, int*, int*, bool*, int*, int*, unsigned int**, CFX_DIBAttribute*) core/fxcodec/codec/fx_codec_bmp.cpp:90:17
#4 0x9eac9bf in CCodec_ProgressiveDecoder::DetectImageType(FXCODEC_IMAGE_TYPE, CFX_DIBAttribute*) core/fxcodec/codec/fx_codec_progress.cpp:1075:40
#5 0x9eb187b in CCodec_ProgressiveDecoder::LoadImageInfo(IFX_SeekableReadStream*, FXCODEC_IMAGE_TYPE, CFX_DIBAttribute*, bool) core/fxcodec/codec/fx_codec_progress.cpp:1324:7
#6 0x94b5593 in XFA_LoadImageFromBuffer(IFX_SeekableReadStream*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1136:24
#7 0x94b414f in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, bool&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1095:7
#8 0x94e1903 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
#9 0x94d4431 in CXFA_WidgetAcc::LoadImageImage() xfa/fxfa/app/xfa_ffwidgetacc.cpp:999:9
#10 0x99260ff in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
#11 0x94834c8 in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
#12 0x948364e in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
#13 0x824dac9 in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:411:54
#14 0x8215b4f in CPDFSDK_FormFillEnvironment::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_formfillenvironment.cpp:587:14
#15 0x81d12d9 in (anonymous namespace)::FormHandleToPageView(void*, void*) fpdfsdk/fpdfformfill.cpp:58:39
#16 0x81d5c4d in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:657:37
#17 0x8150ff7 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:590:3
#18 0x815142d in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:604:20
#19 0x8155e1b in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:820:9
#20 0x8159987 in main samples/pdfium_test.cc:955:5
#21 0xf3f69636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow core/fxcodec/lbmp/fx_bmp.cpp:600:61 in bmp_decode_rle4(tag_bmp_decompress_struct*)
Shadow bytes around the buggy address:
0x3cc40600: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3cc40610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3cc40620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x3cc40630: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3cc40640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3cc40650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
0x3cc40660: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3cc40670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3cc40680: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
0x3cc40690: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x3cc406a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23835==ABORTING
,
Dec 6 2016
Hello, this issue is still reproducible, please re-open it and mark it as ClusterFuzz-Wrong, thanks.
,
Dec 6 2016
,
Dec 7 2016
,
Mar 16 2017
,
Mar 16 2017
,
Aug 29 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
,
Jan 29 2018
,
Jan 29 2018
Confirmed no longer reproduces
,
May 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||
Comment 1 Deleted