Issue metadata
Sign in to add a comment
|
Security: PDFium: Heap Buffer Overflow in libtiff's NeXTDecode Function
Reported by
stackexp...@gmail.com,
Jun 6 2016
|
||||||||||||||||||||
Issue description
Security: PDFium: Heap Buffer Overflow in libtiff's NeXTDecode Function
VULNERABILITY DETAILS
This heap-buffer-overflow vulnerability was caused by the malformed tiff image embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed tiff image in the XFA component.
Chrome 52.0.2743.19 dev-m was vulnerable to this issue.
---------------------------
Exception Information
---------------------------
(3f5c.4b58): Access violation - code c0000005 (!!! second chance !!!)
eax=00000040 ebx=00000001 ecx=0000002d edx=00000021 esi=09da3000 edi=00000050
eip=015f03d0 esp=0040f0b0 ebp=0040f0c8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
pdfium_test!NeXTDecode+0xe0:
015f03d0 8806 mov byte ptr [esi],al ds:002b:09da3000=??
---------------------------
Heap Information
---------------------------
0:000> !heap -p -a esi
address 09da3000 found in
_DPH_HEAP_ROOT @ 561000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
9c72b94: 9da2fd0 30 - 9da2000 2000
10818e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
775db586 ntdll!RtlpAllocateHeap+0x000000c4
77583541 ntdll!RtlAllocateHeap+0x0000023a
0157d93c pdfium_test!_malloc_base+0x00000038 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp @ 29]
0131a13b pdfium_test!FXMEM_DefaultAlloc+0x0000000b [core\fxcrt\fx_basic_memmgr.cpp @ 12]
015d228d pdfium_test!_TIFFmalloc+0x0000000d [core\fxcodec\codec\fx_codec_tiff.cpp @ 167]
015db61a pdfium_test!gtTileContig+0x0000002a [third_party\libtiff\tif_getimage.c @ 620]
015daa5c pdfium_test!TIFFRGBAImageGet+0x0000004c [third_party\libtiff\tif_getimage.c @ 495]
015dae1b pdfium_test!TIFFReadRGBAImageOriented+0x0000009b [third_party\libtiff\tif_getimage.c @ 514]
015d1bc2 pdfium_test!CCodec_TiffContext::Decode+0x000000a2 [core\fxcodec\codec\fx_codec_tiff.cpp @ 492]
015d1cbe pdfium_test!CCodec_TiffModule::Decode+0x0000000e [core\fxcodec\codec\fx_codec_tiff.cpp @ 542]
015cd2d9 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x000003f9 [core\fxcodec\codec\fx_codec_progress.cpp @ 2193]
014713d2 pdfium_test!XFA_LoadImageFromBuffer+0x000001b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
014711d7 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
01464a9b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
01464b01 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0145c928 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
01239587 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
0122e95e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
01225517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
01225b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
0122bbfe pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
0155f812 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
7528338a kernel32!BaseThreadInitThunk+0x0000000e
77589a02 ntdll!__RtlUserThreadStart+0x00000070
775899d5 ntdll!_RtlUserThreadStart+0x0000001b
---------------------------
Source Code Information
---------------------------
static int
NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
{
static const char module[] = "NeXTDecode";
unsigned char *bp, *op;
tmsize_t cc;
uint8* row;
tmsize_t scanline, n;
(void) s;
/*
* Each scanline is assumed to start off as all
* white (we assume a PhotometricInterpretation
* of ``min-is-black'').
*/
for (op = (unsigned char*) buf, cc = occ; cc-- > 0;)
*op++ = 0xff;
bp = (unsigned char *)tif->tif_rawcp;
cc = tif->tif_rawcc;
scanline = tif->tif_scanlinesize;
if (occ % scanline)
{
TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
return (0);
}
for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
n = *bp++, cc--;
switch (n) {
case LITERALROW:
/*
* The entire scanline is given as literal values.
*/
if (cc < scanline)
goto bad;
_TIFFmemcpy(row, bp, scanline);
bp += scanline;
cc -= scanline;
break;
case LITERALSPAN: {
tmsize_t off;
/*
* The scanline has a literal span that begins at some
* offset.
*/
if( cc < 4 )
goto bad;
off = (bp[0] * 256) + bp[1];
n = (bp[2] * 256) + bp[3];
if (cc < 4+n || off+n > scanline)
goto bad;
_TIFFmemcpy(row+off, bp+4, n);
bp += 4+n;
cc -= 4+n;
break;
}
default: {
uint32 npixels = 0, grey;
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
/*
* The scanline is composed of a sequence of constant
* color ``runs''. We shift into ``run mode'' and
* interpret bytes as codes of the form
* <color><npixels> until we've filled the scanline.
*/
op = row;
for (;;) {
grey = (uint32)((n>>6) & 0x3);
n &= 0x3f;
/*
* Ensure the run does not exceed the scanline
* bounds, potentially resulting in a security
* issue.
*/
while (n-- > 0 && npixels < imagewidth)
SETPIXEL(op, grey); // <-------------------------------------------- CRASHED!!!
if (npixels >= imagewidth)
break;
if (cc == 0)
goto bad;
n = *bp++, cc--;
}
break;
}
---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr
0040f0c8 015d95d9 pdfium_test!NeXTDecode+0xe0 [third_party\libtiff\tif_next.c @ 126]
0040f0ec 015d99e5 pdfium_test!TIFFReadEncodedTile+0xa9 [third_party\libtiff\tif_read.c @ 668]
0040f108 015db738 pdfium_test!TIFFReadTile+0x75 [third_party\libtiff\tif_read.c @ 641]
0040f17c 015daa5c pdfium_test!gtTileContig+0x148 [third_party\libtiff\tif_getimage.c @ 657]
0040f198 015dae1b pdfium_test!TIFFRGBAImageGet+0x4c [third_party\libtiff\tif_getimage.c @ 495]
0040f620 015d1bc2 pdfium_test!TIFFReadRGBAImageOriented+0x9b [third_party\libtiff\tif_getimage.c @ 514]
0040f664 015d1cbe pdfium_test!CCodec_TiffContext::Decode+0xa2 [core\fxcodec\codec\fx_codec_tiff.cpp @ 492]
0040f670 015cd2d9 pdfium_test!CCodec_TiffModule::Decode+0xe [core\fxcodec\codec\fx_codec_tiff.cpp @ 542]
0040f6b0 014713d2 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x3f9 [core\fxcodec\codec\fx_codec_progress.cpp @ 2193]
0040f718 014711d7 pdfium_test!XFA_LoadImageFromBuffer+0x1b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
0040f770 01464a9b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0040f7a4 01464b01 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
0040f7b0 014e9988 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0040f7b8 0145c703 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
0040f7cc 0145c928 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
0040f7dc 01239e1d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
0040f80c 01239587 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
0040f820 0122e95e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
0040f834 01225517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
0040f928 01225b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
0040fa44 0122bbfe pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
0040fb80 0155f812 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
0040fbcc 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
0040fbd8 77589a02 kernel32!BaseThreadInitThunk+0xe
0040fc18 775899d5 ntdll!__RtlUserThreadStart+0x70
0040fc30 00000000 ntdll!_RtlUserThreadStart+0x1b
VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
See attachment.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 6 2016
,
Jun 6 2016
,
Jun 6 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5670053630705664
,
Jun 6 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6328133452300288
,
Jun 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6328133452300288 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x60b00002bdf0 Crash State: NeXTDecode TIFFReadEncodedTile gtTileContig Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=381519:381599 Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DM2AtoTTc49JLmGuGup45tNCJjoq-sUcTvSVF5cQKbcLuD6PMsgCm2SYWq-iJi4Hc3qDK-OOr5yLMfa2vsag93bq3dCaoUhtxBBTfPXUFNOO1Er9fNOXk9qYGMWV66fWiCa5q6XohMQEch51r9KI27CpaGQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jun 6 2016
,
Jun 6 2016
hong_zhang, could you please triage to the appropriate security person? Thank you.
,
Jun 7 2016
,
Jun 7 2016
Yes I will
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6328133452300288 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x60b00002bdf0 Crash State: NeXTDecode TIFFReadEncodedTile gtTileContig Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=381519:381599 Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97lrNBlhfhnf5eikV4U6o5kVjSD_m8RkwhIkSH3wz3vRxxnKiQo3B8kczEm_GbZnzpbGTNhCVu1bDfnuYcmMgZMTGn_ldLge7aZ-daW0Hwsb7k34NExKUqvlDYKyMTKOrRZ4vzwnPY-W2EfxWU05sf21IRG4A See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
ClusterFuzz has detected this issue as fixed in range 398351:398496. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6328133452300288 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x60b00002bdf0 Crash State: NeXTDecode TIFFReadEncodedTile gtTileContig Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=381519:381599 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=398351:398496 Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97lrNBlhfhnf5eikV4U6o5kVjSD_m8RkwhIkSH3wz3vRxxnKiQo3B8kczEm_GbZnzpbGTNhCVu1bDfnuYcmMgZMTGn_ldLge7aZ-daW0Hwsb7k34NExKUqvlDYKyMTKOrRZ4vzwnPY-W2EfxWU05sf21IRG4A See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 9 2016
Let's hang on and make sure this is not due to me breaking TIFF decoding completely.
,
Jun 13 2016
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 15 2016
[Bulk edit] Per inferno@, Security_Impact=None bugs should not be release blockers.
,
Jun 15 2016
,
Jun 16 2016
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459603102105600 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x605000021d90 Crash State: NeXTDecode TIFFReadEncodedTile gtTileContig Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-xKmTSoiS0nl4zQrC8jKODeMHKVcmOM2jmiIyIXrhaQx_37UbD8ONJGdg1TahnUGP-jtwVUMfsiNmzoebR7uLKjRgMqBhDmw6VUe7wz7ZaIbae61XmwydgT-NkSJQRcMTQSaLC2HJARSvC-Tg5GVh5PQSEw?testcase_id=5459603102105600 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 23 2016
ClusterFuzz has detected this issue as fixed in range 398351:398496. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459603102105600 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x605000021d90 Crash State: NeXTDecode TIFFReadEncodedTile gtTileContig Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398351:398496 Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-xKmTSoiS0nl4zQrC8jKODeMHKVcmOM2jmiIyIXrhaQx_37UbD8ONJGdg1TahnUGP-jtwVUMfsiNmzoebR7uLKjRgMqBhDmw6VUe7wz7ZaIbae61XmwydgT-NkSJQRcMTQSaLC2HJARSvC-Tg5GVh5PQSEw?testcase_id=5459603102105600 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 14 2016
,
Aug 29 2017
,
Jan 31 2018
,
Jan 31 2018
Had to run manually, but looks like this no longer reproduces with XFA enabled.
,
May 10 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 Deleted