Issue metadata
Sign in to add a comment
|
Security: [PDFium]AddressSanitizer: heap-buffer-overflow
Reported by
marcin.t...@gmail.com,
Jun 8 2016
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Vulnerability : Heap-buffer-overflow VERSION Pdfium - git version from https://pdfium.googlesource.com/pdfium/ (today) Compiled : GYP_DEFINES='asan=1 symbol_level=1' gclient runhooks ; ninja -C out/Debug Operating System: Ubuntu 14.04 LTS x64 REPRODUCTION CASE ./pdf_codec_gif_fuzzer pdf_gif-heap-buffer-overflow-2.gif ASAN LOG (symbolized): ================================================================= ==38321==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f28c at pc 0x0000005e7679 bp 0x7ffdf924e0b0 sp 0x7ffdf924e0a8 READ of size 4 at 0x60600000f28c thread T0 #0 0x5e7678 in GifInputRecordPositionBufCallback /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:665:18 #1 0x62fabf in gif_get_record_position /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_gif.cpp:67:10 #2 0x659dca in gif_load_frame /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/lgif/fx_gif.cpp:842:22 #3 0x630604 in LoadFrame /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_gif.cpp:146:17 #4 0x60066e in ContinueDecode /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:2109:13 #5 0x4de3da in Fuzz /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/xfa_codec_fuzzer.h:37:16 #6 0x4ddf46 in LLVMFuzzerTestOneInput /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/pdf_codec_gif_fuzzer.cc:8:10 #7 0x4e5f12 in main /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:39:5 #8 0x7f677216ff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 #9 0x41bcde in _start ??:? AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mtowalski/git_pdfium/pdfium/out/Debug/pdf_codec_gif_fuzzer+0x5e7678) Shadow bytes around the buggy address: 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9e50: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==38321==ABORTING
,
Jun 10 2016
,
Oct 2 2016
,
May 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 9 2016