Issue metadata
Sign in to add a comment
|
Security: [PDFium]AddressSanitizer: heap-use-after-free
Reported by
marcin.t...@gmail.com,
Jun 8 2016
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Vulnerability : Heap-use-after-free VERSION Pdfium - git version from https://pdfium.googlesource.com/pdfium/ (today) Compiled : GYP_DEFINES='asan=1 symbol_level=1' gclient runhooks ; ninja -C out/Debug Operating System: Ubuntu 14.04 LTS x64 REPRODUCTION CASE ./pdf_codec_gif_fuzzer pdf_gif-heap-use-after-free-1.gif ASAN LOG (symbolized): ================================================================= ==17108==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000efc8 at pc 0x0000005e7679 bp 0x7ffe08415c90 sp 0x7ffe08415c88 READ of size 4 at 0x60600000efc8 thread T0 #0 0x5e7678 in GifInputRecordPositionBufCallback /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:665:18 #1 0x62fabf in gif_get_record_position /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_gif.cpp:67:10 #2 0x659dca in gif_load_frame /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/lgif/fx_gif.cpp:842:22 #3 0x630604 in LoadFrame /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_gif.cpp:146:17 #4 0x60066e in ContinueDecode /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:2109:13 #5 0x4de3da in Fuzz /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/xfa_codec_fuzzer.h:37:16 #6 0x4ddf46 in LLVMFuzzerTestOneInput /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/pdf_codec_gif_fuzzer.cc:8:10 #7 0x4e5f12 in main /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:39:5 #8 0x7f66d050ff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 #9 0x41bcde in _start ??:? 0x60600000efc8 is located 8 bytes inside of 64-byte region [0x60600000efc0,0x60600000f000) freed by thread T0 here: #0 0x4dc4ab in operator delete(void*) ??:? #1 0x4e6bbb in deallocate /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/ext/new_allocator.h:110:9 #2 0x4eaefc in _M_deallocate /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:174:4 #3 0x4ea3b2 in _M_emplace_back_aux<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/vector.tcc:430:2 #4 0x4e925f in emplace_back<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/vector.tcc:101:4 #5 0x4e8fcb in _M_range_initialize<std::istreambuf_iterator<char, std::char_traits<char> > > /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:1188:6 #6 0x4e8b6b in _M_initialize_dispatch<std::istreambuf_iterator<char, std::char_traits<char> > > /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:1177:4 #7 0x4e76b0 in vector<std::istreambuf_iterator<char, std::char_traits<char> >, void> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:395:11 #8 0x4e58bb in vector<std::istreambuf_iterator<char, std::char_traits<char> >, void> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/debug/vector:105:11 #9 0x4e4e04 in readFile /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:23:10 #10 0x4e5ecc in main /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:38:14 #11 0x7f66d050ff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 previously allocated by thread T0 here: #0 0x4dbeeb in operator new(unsigned long) ??:? #1 0x4eb281 in allocate /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/ext/new_allocator.h:104:27 #2 0x4eaa84 in _M_allocate /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:168:27 #3 0x4ea14e in _M_emplace_back_aux<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/vector.tcc:404:22 #4 0x4e925f in emplace_back<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/vector.tcc:101:4 #5 0x4e8fcb in _M_range_initialize<std::istreambuf_iterator<char, std::char_traits<char> > > /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:1188:6 #6 0x4e8b6b in _M_initialize_dispatch<std::istreambuf_iterator<char, std::char_traits<char> > > /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:1177:4 #7 0x4e76b0 in vector<std::istreambuf_iterator<char, std::char_traits<char> >, void> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_vector.h:395:11 #8 0x4e58bb in vector<std::istreambuf_iterator<char, std::char_traits<char> >, void> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/debug/vector:105:11 #9 0x4e4e04 in readFile /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:23:10 #10 0x4e5ecc in main /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:38:14 #11 0x7f66d050ff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 SUMMARY: AddressSanitizer: heap-use-after-free (/home/mtowalski/git_pdfium/pdfium/out/Debug/pdf_codec_gif_fuzzer+0x5e7678) Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff9de0: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00 =>0x0c0c7fff9df0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17108==ABORTING
,
Oct 2 2016
,
May 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by och...@chromium.org
, Jun 10 2016Status: Duplicate (was: Unconfirmed)