Issue metadata
Sign in to add a comment
|
Security: PDFium: Out-Of-Bounds Read in libtiff's putRGBUAcontig8bittile Function
Reported by
stackexp...@gmail.com,
Jun 8 2016
|
||||||||||||||||||||
Issue description
Security: PDFium: Out-Of-Bounds Read in libtiff's putRGBUAcontig8bittile Function
VULNERABILITY DETAILS
This Out-Of-Bounds Read vulnerability was caused by the malformed tiff image embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed tiff image in the XFA component.
The latest beta version of Chrome was vulnerable to this issue.
----------------------------
AddressSanitizer Information
----------------------------
==8580==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x07f0a613 at pc 0x020c3e34 bp 0xdeadbeef sp 0x003ee12c
READ of size 1 at 0x07f0a613 thread T0
#0 0x20c3e33 in putRGBUAcontig8bittile pdfium\third_party\libtiff\tif_getimage.c:1416
#1 0x20c249c in gtStripContig pdfium\third_party\libtiff\tif_getimage.c:941
#2 0x20c14a1 in TIFFReadRGBAImageOriented pdfium\third_party\libtiff\tif_getimage.c:514
#3 0x2091e17 in CCodec_TiffContext::Decode pdfium\core\fxcodec\codec\fx_codec_tiff.cpp:492
#4 0x20926bd in CCodec_TiffModule::Decode pdfium\core\fxcodec\codec\fx_codec_tiff.cpp:541
#5 0x2088d48 in CCodec_ProgressiveDecoder::ContinueDecode pdfium\core\fxcodec\codec\fx_codec_progress.cpp:2192
#6 0x1a4e28c in XFA_LoadImageFromBuffer pdfium\xfa\fxfa\app\xfa_ffwidget.cpp:1103
#7 0x1a4d862 in XFA_LoadImageData pdfium\xfa\fxfa\app\xfa_ffwidget.cpp:1031
#8 0x1a6e6bc in CXFA_ImageLayoutData::LoadImageData pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp:96
#9 0x1a6d355 in CXFA_WidgetAcc::LoadImageImage pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp:1003
#10 0x1d1d2db in CXFA_FFImage::LoadWidget pdfium\xfa\fxfa\app\xfa_ffimage.cpp:27
#11 0x1a1ff18 in CXFA_FFPageWidgetIterator::GetWidget pdfium\xfa\fxfa\app\xfa_ffpageview.cpp:196
#12 0x1a20592 in CXFA_FFPageWidgetIterator::MoveToNext pdfium\xfa\fxfa\app\xfa_ffpageview.cpp:166
#13 0xe2203b in CPDFSDK_PageView::LoadFXAnnots pdfium\fpdfsdk\fsdk_mgr.cpp:921
#14 0xe218a1 in CPDFSDK_Document::GetPageView pdfium\fpdfsdk\fsdk_mgr.cpp:268
#15 0xe18ced in FORM_OnAfterLoadPage pdfium\fpdfsdk\fpdfformfill.cpp:641
#16 0xde732b in RenderPage pdfium\samples\pdfium_test.cc:497
#17 0xdea01f in RenderPdf pdfium\samples\pdfium_test.cc:694
#18 0xdeb818 in main pdfium\samples\pdfium_test.cc:835
#19 0x3f68e1c in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#20 0x75283389 in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
#21 0x77589a01 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01)
#22 0x775899d4 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4)
0x07f0a613 is located 0 bytes to the right of 3-byte region [0x07f0a610,0x07f0a613)
allocated by thread T0 here:
#0 0x3f512c8 in malloc+0xb8 (D:\Downloads\asan-win32-release\pdfium_test_asan_final.exe+0x35712c8)
#1 0x208f2bc in _TIFFmalloc pdfium\core\fxcodec\codec\fx_codec_tiff.cpp:167
#2 0x20c2069 in gtStripContig pdfium\third_party\libtiff\tif_getimage.c:902
#3 0x20c14a1 in TIFFReadRGBAImageOriented pdfium\third_party\libtiff\tif_getimage.c:514
#4 0x2091e17 in CCodec_TiffContext::Decode pdfium\core\fxcodec\codec\fx_codec_tiff.cpp:492
#5 0x20926bd in CCodec_TiffModule::Decode pdfium\core\fxcodec\codec\fx_codec_tiff.cpp:541
#6 0x2088d48 in CCodec_ProgressiveDecoder::ContinueDecode pdfium\core\fxcodec\codec\fx_codec_progress.cpp:2192
#7 0x1a4e28c in XFA_LoadImageFromBuffer pdfium\xfa\fxfa\app\xfa_ffwidget.cpp:1103
#8 0x1a4d862 in XFA_LoadImageData pdfium\xfa\fxfa\app\xfa_ffwidget.cpp:1031
#9 0x1a6e6bc in CXFA_ImageLayoutData::LoadImageData pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp:96
#10 0x1a6d355 in CXFA_WidgetAcc::LoadImageImage pdfium\xfa\fxfa\app\xfa_ffwidgetacc.cpp:1003
#11 0x1d1d2db in CXFA_FFImage::LoadWidget pdfium\xfa\fxfa\app\xfa_ffimage.cpp:27
#12 0x1a1ff18 in CXFA_FFPageWidgetIterator::GetWidget pdfium\xfa\fxfa\app\xfa_ffpageview.cpp:196
#13 0x1a20592 in CXFA_FFPageWidgetIterator::MoveToNext pdfium\xfa\fxfa\app\xfa_ffpageview.cpp:166
#14 0xe2203b in CPDFSDK_PageView::LoadFXAnnots pdfium\fpdfsdk\fsdk_mgr.cpp:921
#15 0xe218a1 in CPDFSDK_Document::GetPageView pdfium\fpdfsdk\fsdk_mgr.cpp:268
#16 0xe18ced in FORM_OnAfterLoadPage pdfium\fpdfsdk\fpdfformfill.cpp:641
#17 0xde732b in RenderPage pdfium\samples\pdfium_test.cc:497
#18 0xdea01f in RenderPdf pdfium\samples\pdfium_test.cc:694
#19 0xdeb818 in main pdfium\samples\pdfium_test.cc:835
#20 0x3f68e1c in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255
#21 0x75283389 in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
#22 0x77589a01 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01)
#23 0x775899d4 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4)
SUMMARY: AddressSanitizer: heap-buffer-overflow pdfium\third_party\libtiff\tif_getimage.c:1416 in putRGBUAcontig8bittile
Shadow bytes around the buggy address:
0x30fe1470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30fe1480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30fe1490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30fe14a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30fe14b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 04 fa
=>0x30fe14c0: fa fa[03]fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x30fe14d0: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x30fe14e0: fa fa 06 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x30fe14f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x30fe1500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x30fe1510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8580==ABORTING
---------------------------
Source Code Information
---------------------------
1403 /*
1404 * 8-bit packed samples => RGBA w/ unassociated alpha
1405 * (known to have Map == NULL)
1406 */
1407 DECLAREContigPutFunc(putRGBUAcontig8bittile)
1408 {
1409 int samplesperpixel = img->samplesperpixel;
1410 (void) y;
1411 fromskew *= samplesperpixel;
1412 while (h-- > 0) {
1413 uint32 r, g, b, a;
1414 uint8* m;
1415 for (x = w; x-- > 0;) {
1416 a = pp[3]; // <----------------------- OOB Access!!!
1417 m = img->UaToAa+(a<<8);
1418 r = m[pp[0]];
1419 g = m[pp[1]];
1420 b = m[pp[2]];
1421 *cp++ = PACK4(r,g,b,a);
1422 pp += samplesperpixel;
1423 }
1424 cp += toskew;
1425 pp += fromskew;
1426 }
1427 }
---------------------------
PoC Diff
---------------------------
I've already did some difference reduction work. I'll attach the minimized proof-of-concept file.
The tag member of the SampleFormat directory was changed from 0x0153 (53 01) to 0x0152 (52 01). In other words, the SampleFormat directory was treated as an ExtraSamples directory.
VERSION
Chrome Version: [Beta]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
Both the original normal tiff file, the malformed tiff file, and the proof-of-concept PDF file were attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 9 2016
Hi, you can try to test my PoC with ClusterFuzz directly. If the test result indicates a null pointer dereference, then you should fix the tif_ctx initialization problem first.
,
Jun 9 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6226667165188096
,
Jun 9 2016
,
Jun 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6226667165188096 Uploader: nparker@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60900000f0b3 Crash State: putRGBUAcontig8bittile gtStripContig TIFFReadRGBAImageOriented Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Minimized Testcase (3.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97s_SMSyoNPcaqx8s9jcdx7HKTDAMyrTzuW-WM4UYpqHM9IYPiBt4FdWVG2W6O6l82Vu8zk90khWCfNrzajhp8md0Lh4vjaoDzxnSJgATWMx6Xoo96tCmZ3SpWA7dZ2CbiDwf3bSh6mJDk9hF0taCJt2N6lRA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jun 10 2016
,
Jun 10 2016
,
Jun 10 2016
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 398351:398496. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6226667165188096 Uploader: nparker@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60900000f0b3 Crash State: putRGBUAcontig8bittile gtStripContig TIFFReadRGBAImageOriented Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398351:398496 Minimized Testcase (3.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97s_SMSyoNPcaqx8s9jcdx7HKTDAMyrTzuW-WM4UYpqHM9IYPiBt4FdWVG2W6O6l82Vu8zk90khWCfNrzajhp8md0Lh4vjaoDzxnSJgATWMx6Xoo96tCmZ3SpWA7dZ2CbiDwf3bSh6mJDk9hF0taCJt2N6lRA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2016
XFA is currently disabled.
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 16 2016
,
Oct 14 2016
,
Aug 29 2017
,
Jan 31 2018
,
Jan 31 2018
This no longer reproduces with XFA enabled.
,
May 10 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Jun 8 20163.9 KB
3.9 KB Download
166 bytes
166 bytes Download
166 bytes
166 bytes Download