New issue
Advanced search Search tips

Issue 617841 link

Starred by 1 user
Status: Duplicate
Merged: issue 617645
Owner: ----
Closed: Jun 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Heap-buffer-overflow in CXFA_LayoutProcessor::GetLayoutItem

Reported by chromium...@gmail.com, Jun 7 2016 
VERSION
Chrome Version: 53.0.2761.0 
Operating System: Windows 7

=================================================================
==2252==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x03958854 at pc 0x189b5efc bp 0xdeadbeef sp 0x0022be70
[0607/024136:ERROR:main_dll_loader_win.cc(199)] Could not find exported function RelaunchChromeBrowserWithNewCommandLineIfNeeded
    #0 0x189b5efb in CXFA_Node::TryUserData C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_object_imp.cpp:4161
    #1 0x189776af in CXFA_LayoutProcessor::GetLayoutItem C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_layout_imp
.cpp:136
    #2 0x18b0be44 in CScript_LayoutPseudoModel::Script_LayoutPseudoModel_PageImp C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser
\xfa_script_layoutpseudomodel.cpp:542
    #3 0x18b0bdcc in CScript_LayoutPseudoModel::Script_LayoutPseudoModel_Page C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xf
a_script_layoutpseudomodel.cpp:209
    #4 0x189d3b9f in CXFA_ScriptContext::NormalMethodCall C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_script_imp.cpp:415

    #5 0x18c3b658 in FXJSE_DynPropGetterAdapter_MethodCallback C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxjse\dynprop.cpp:26
    #6 0x1bde2d75 in v8::internal::FunctionCallbackArguments::Call C:\b\build\slave\Win_ASan_Release\build\src\v8\src\api-arguments.cc:16
    #7 0x1b3439eb in v8::internal::`anonymous namespace'::HandleApiCallHelper C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:4962
    #8 0x1b3ff8be in v8::internal::Builtin_Impl_HandleApiCall C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:4979
    #9 0x1b34fb91 in v8::internal::Builtin_HandleApiCall C:\b\build\slave\Win_ASan_Release\build\src\v8\src\builtins.cc:4977

0x03958854 is located 0 bytes to the right of 52-byte region [0x03958820,0x03958854)
allocated by thread T0 here:
    #0 0x1ec0728 in malloc+0xb8 (C:\Users\admin\Desktop\asan-win32-release-398017\chrome.exe+0x1010728)
    #1 0x1e23a9fe in operator new f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp:19
    #2 0x1896f8f1 in CXFA_Document::CreateNode C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_imp.cpp:165
    #3 0x1896f7fd in CXFA_Document::CreateNode C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_imp.cpp:155
    #4 0x189828c8 in CXFA_Node::CloneTemplateToForm C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_object_imp.cpp:323
    #5 0x189d4e79 in XFA_NodeMerge_CloneOrMergeContainer C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_datamerger
_imp.cpp:535
    #6 0x189d84fb in XFA_DataMerge_CopyContainer_Field C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_datamerger_i
mp.cpp:1032
    #7 0x189d75ac in XFA_DataMerge_CopyContainer_SubformSet C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_datamer
ger_imp.cpp:1015
    #8 0x189d50df in CXFA_Document::DataMerge_CopyContainer C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_datamer
ger_imp.cpp:1076
    #9 0x18a9539b in CXFA_LayoutPageMgr::MergePageSetContents C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_layout_pagemgr
_new.cpp:1738
    #10 0x18a968bd in CXFA_LayoutPageMgr::SyncLayoutData C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_layout_pagemgr_new.
cpp:1841
    #11 0x189771d9 in CXFA_LayoutProcessor::DoLayout C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_document_layout_imp.cpp
:101
    #12 0x188d6e71 in CXFA_FFDocView::DoLayout C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\app\xfa_ffdocview.cpp:99
    #13 0x188c17c0 in CPDFXFA_Document::LoadXFADoc C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\fpdfsdk\fpdfxfa\fpdfxfa_doc.cpp:130
    #14 0x181832de in FPDF_LoadXFA C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\fpdfsdk\fpdfview.cpp:381
    #15 0x101d8793 in chrome_pdf::PDFiumEngine::ContinueLoadingDocument C:\b\build\slave\Win_ASan_Release\build\src\pdf\pdfium\pdfium_engine.cc:2520
    #16 0x101bb651 in chrome_pdf::PDFiumEngine::LoadDocument C:\b\build\slave\Win_ASan_Release\build\src\pdf\pdfium\pdfium_engine.cc:2436
    #17 0x10213bbc in chrome_pdf::DocumentLoader::DidRead C:\b\build\slave\Win_ASan_Release\build\src\pdf\document_loader.cc:418
    #18 0x10185d54 in pp::CompletionCallbackFactory<plugin::Plugin,pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<plugin::Plugin,pp::T
hreadSafeThreadTraits>::Dispatcher0<void (plugin::Plugin::*)(int) __attribute__((thiscall))> >::Thunk+0x84 (C:\Users\admin\Desktop\asan-win32-release-398017\ch
rome_child.dll+0x10365d54)
    #19 0x16485de8 in ppapi::TrackedCallback::Run+0x2b8 (C:\Users\admin\Desktop\asan-win32-release-398017\chrome_child.dll+0x16665de8)
    #20 0x17b02ca5 in ppapi::proxy::URLLoaderResource::OnReplyReceived C:\b\build\slave\Win_ASan_Release\build\src\ppapi\proxy\url_loader_resource.cc:249
    #21 0x17c51826 in ppapi::proxy::PluginMessageFilter::DispatchResourceReply C:\b\build\slave\Win_ASan_Release\build\src\ppapi\proxy\plugin_message_filter.cc
:116
    #22 0x17c51dd2 in base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (*)(const ppapi::proxy::R
esourceMessageReplyParams &, const IPC::Message &)>,void (const ppapi::proxy::ResourceMessageReplyParams &, const IPC::Message &),const ppapi::proxy::ResourceM
essageReplyParams &,const IPC::Message &>,0,void ()>::Run C:\b\build\slave\Win_ASan_Release\build\src\base\bind_internal.h:366
    #23 0x103a3bf1 in base::debug::TaskAnnotator::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\debug\task_annotator.cc:49
    #24 0x102a6bc2 in base::MessageLoop::RunTask C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:475
    #25 0x102a86ea in base::MessageLoop::DoWork C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:599
    #26 0x103aac04 in base::MessagePumpDefault::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_pump_default.cc:33
    #27 0x102a5f38 in base::MessageLoop::RunHandler C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:439
    #28 0x103ab1c0 in base::RunLoop::Run+0x1e0 (C:\Users\admin\Desktop\asan-win32-release-398017\chrome_child.dll+0x1058b1c0)
    #29 0x102a501f in base::MessageLoop::Run C:\b\build\slave\Win_ASan_Release\build\src\base\message_loop\message_loop.cc:294

SUMMARY: AddressSanitizer: heap-buffer-overflow C:\b\build\slave\Win_ASan_Release\build\src\third_party\pdfium\xfa\fxfa\parser\xfa_object_imp.cpp:4161 in CXFA_
Node::TryUserData
Shadow bytes around the buggy address:
  0x3072b0b0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x3072b0c0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x3072b0d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x3072b0e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x3072b0f0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x3072b100: fa fa fa fa 00 00 00 00 00 00[04]fa fa fa fa fa
  0x3072b110: 00 00 00 00 00 00 04 fa fa fa fa fa fd fd fd fd
  0x3072b120: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 04 fa
  0x3072b130: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
  0x3072b140: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
  0x3072b150: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2252==ABORTING
repro.pdf
681 KB Download
Project Member

Comment 1 by ClusterFuzz, Jun 8 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5996545870921728

Comment 2 by wfh@chromium.org, Jun 8 2016

Components: Internals>Plugins>PDF

Comment 3 by tsepez@chromium.org, Jun 8 2016

Mergedinto: 617645
Status: Duplicate (was: Unconfirmed)
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 23 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment