Issue metadata
Sign in to add a comment
|
Security: A Pdfium Bug May Leak Information
Reported by
seuk...@gmail.com,
Jul 13 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
There is a potential information leak in pdfium. The StringToWideString Function is used to parse pdf font. I think a malformed pdf could print a character which represent the value in memory.
----------------------------------------------------------
CFX_WideString CPDF_ToUnicodeMap::StringToWideString(
const CFX_ByteStringC& str) {
int len = str.GetLength();
if (len == 0)
return CFX_WideString();
CFX_WideString result; // str[0] could be '[' or other char
if (str[0] == '<') {
int byte_pos = 0;
FX_WCHAR ch = 0;
for (int i = 1; i < len && std::isxdigit(str[i]); ++i) {
ch = ch * 16 + FXSYS_toHexDigit(str[i]);
byte_pos++;
if (byte_pos == 4) {
result += ch;
byte_pos = 0;
ch = 0;
}
}
return result;
}
return result; // return a uninitialized result
}
https://cs.chromium.org/chromium/src/third_party/pdfium/core/fpdfapi/fpdf_font/fpdf_font.cpp line 172
-------------------------------------------------------------
REPRODUCTION CASE
Pdfium is a third library in chrome open source project.I have no idea if Chrome has used this function.
,
Jul 13 2016
CFX_WideString has a default constructor. Also, for vulnerability reports, we generally require a proof of concept demonstrating that said bug is reachable.
,
Oct 20 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by seuk...@gmail.com
, Jul 13 2016StringToWideString function is call in CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) and fill m_MultiCharBuf ----------------------------------------------------- if (word == "beginbfchar") { while (1) { word = parser.GetWord(); if (word.IsEmpty() || word == "endbfchar") { break; } uint32_t srccode = StringToCode(word); word = parser.GetWord(); CFX_WideString destcode = StringToWideString(word); //function call int len = destcode.GetLength(); if (len == 0) { continue; } if (len == 1) { m_Map[srccode] = destcode.GetAt(0); } else { m_Map[srccode] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; m_MultiCharBuf.AppendChar(destcode.GetLength()); m_MultiCharBuf << destcode; // fill the char buffer } } } And I found a Javascript interface to read m_MultiCharBuf. ----------------------------------------------------- JS_STATIC_METHOD(getPageNthWord, Document); Document::getPageNthWord() -> Document::GetObjWordStr() -> CPDF_Font::UnicodeFromCharCode() -> CPDF_ToUnicodeMap::Lookup() -> const FX_WCHAR* buf = m_MultiCharBuf.GetBuffer();