Security: PDFium: Out-Of-Bounds Read in CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback

VULNERABILITY DETAILS
This Out-Of-Bounds Read vulnerability was caused by the malformed gif file embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed gif file in the XFA component.

The latest dev version of chrome (52.0.2743.19 dev-m) was vulnerable to this issue.

---------------------------
Exception Information
---------------------------
(4ff4.20c4): Access violation - code c0000005 (!!! second chance !!!)
eax=000000c7 ebx=000000f9 ecx=09686ff8 edx=000000f9 esi=000000c7 edi=096a4f30
eip=006ff406 esp=0118f8e8 ebp=0118f914 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
pdfium_test!CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback+0x156:
006ff406 8b1c99        mov ebx,dword ptr [ecx+ebx*4] ds:002b:096873dc=????????

---------------------------
Heap Information
---------------------------
0:000> !heap -p -a ecx
    address 09686ff8 found in
    _DPH_HEAP_ROOT @ 4991000
    in busy allocation (  DPH_HEAP_BLOCK: UserAddr  UserSize - VirtAddr  VirtSize)
                                 a1738f0:  9686ff8         1 -  9686000      2000
    61a48e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
    775db586 ntdll!RtlpAllocateHeap+0x000000c4
    77583541 ntdll!RtlAllocateHeap+0x0000023a
    006aded4 pdfium_test!_calloc_base+0x00000047 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\calloc_base.cpp @ 33]
    006ff309 pdfium_test!CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback+0x00000059 [core\fxcodec\codec\fx_codec_progress.cpp @ 642]
    00701c81 pdfium_test!gif_get_record_position+0x00000051 [core\fxcodec\codec\fx_codec_gif.cpp @ 67]
    00705548 pdfium_test!gif_load_frame+0x00000148 [core\fxcodec\lgif\fx_gif.cpp @ 862]
    00701965 pdfium_test!CCodec_GifModule::LoadFrame+0x00000035 [core\fxcodec\codec\fx_codec_gif.cpp @ 146]
    006fded9 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x00000219 [core\fxcodec\codec\fx_codec_progress.cpp @ 2119]
    005a1b22 pdfium_test!XFA_LoadImageFromBuffer+0x000001b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
    005a1927 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
    0059514b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
    005951b1 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
    0058cfa8 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
    003696b7 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
    0035e73e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
    00355517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
    00355b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
    0035bb1e pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
    006905d6 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
    7528338a kernel32!BaseThreadInitThunk+0x0000000e
    77589a02 ntdll!__RtlUserThreadStart+0x00000070
    775899d5 ntdll!_RtlUserThreadStart+0x0000001b

---------------------------
Source Code Information
---------------------------
The OOB access range can be 0x3e4.

  int startX = pCodec->m_startX;
  int startY = pCodec->m_startY;
  int sizeX = pCodec->m_sizeX;
  int sizeY = pCodec->m_sizeY;
  int Bpp = pDevice->GetBPP() / 8;
  FX_ARGB argb = pCodec->m_pSrcPalette[pal_index];  // <--------- CRASHED!!!

0:000> dv
        pModule = 0x096a4f30
        rcd_pos = <value unavailable>
         img_rc = 0x0118f94c
        pal_num = 0n0
        pal_ptr = 0x00000000
     delay_time = 0n0
     user_input = 0n0
    trans_index = 0n-1
disposal_method = 0n0
      interlace = 0n0
   error_status = 0n157962032 (No matching enumerant)
            Bpp = <value unavailable>
       pPalette = <value unavailable>
      pal_index = 0n249      <----------------------------- pal_index = 249
         startY = 0n0
          sizeX = 0n199
           argb = <value unavailable>
        pDevice = 0x0a1c7fd8
          sizeY = 0n199
              i = <value unavailable>
            row = <value unavailable>
      pScanline = <value unavailable>
      
0:000> r ebx
ebx=000000f9

0:000> ?ebx*4
Evaluate expression: 996 = 000003e4

---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr  
0118f914 00701c81 pdfium_test!CCodec_ProgressiveDecoder::GifInputRecordPositionBufCallback+0x156 [core\fxcodec\codec\fx_codec_progress.cpp @ 674]
0118f95c 00705548 pdfium_test!gif_get_record_position+0x51 [core\fxcodec\codec\fx_codec_gif.cpp @ 67]
0118f9b4 00701965 pdfium_test!gif_load_frame+0x148 [core\fxcodec\lgif\fx_gif.cpp @ 862]
0118f9d8 006fded9 pdfium_test!CCodec_GifModule::LoadFrame+0x35 [core\fxcodec\codec\fx_codec_gif.cpp @ 146]
0118fa1c 005a1b22 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x219 [core\fxcodec\codec\fx_codec_progress.cpp @ 2119]
0118fa84 005a1927 pdfium_test!XFA_LoadImageFromBuffer+0x1b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
0118fadc 0059514b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0118fb10 005951b1 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
0118fb1c 0061a488 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0118fb24 0058cd83 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
0118fb38 0058cfa8 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
0118fb48 00369f4d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
0118fb78 003696b7 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
0118fb8c 0035e73e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
0118fba0 00355517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
0118fc94 00355b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
0118fdb0 0035bb1e pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
0118feec 006905d6 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
0118ff38 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
0118ff44 77589a02 kernel32!BaseThreadInitThunk+0xe
0118ff84 775899d5 ntdll!__RtlUserThreadStart+0x70
0118ff9c 00000000 ntdll!_RtlUserThreadStart+0x1b

---------------------------
PoC Diff
---------------------------
I've already did some difference reduction work. To trigger the vulnerability, nine bytes in the original seed gif image were deleted. The bytes begins at file offset 0x0A and they were presented as follows.
80 00 00 00 00 FF FF 00 00

After this mutation, the LogicalScreenDescriptor and the GlobalColorTable structs of the gif image was corrupted.

VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]

REPRODUCTION CASE
Both the original normal gif file, the malformed gif file, and the proof-of-concept PDF file were attached.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]