New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 628304: Security: heap-buffer-overflow in opj_v4dwt_interleave_h

Reported by gogil@stealien.com, Jul 14 2016

Issue description

VULNERABILITY DETAILS

A heap buffer overflow vulnerability is present in the openjpeg.


This issue only affected 32-bit version of pdfium.

And can't be used with ASAN. because this vulnerability is using 3GB of memory.

When used with ASAN, It fails because it uses too much memory.



File libopenjpeg20/dwt.c, line 841:
-----------------------------------------------------------------------------------------------
OPJ_BOOL opj_dwt_decode_real(opj_tcd_tilecomp_t* restrict tilec, OPJ_UINT32 numres)
{
	opj_v4dwt_t h;
	opj_v4dwt_t v;

	opj_tcd_resolution_t* res = tilec->resolutions;

	OPJ_UINT32 rw = (OPJ_UINT32)(res->x1 - res->x0);	/* width of the resolution level computed */
	OPJ_UINT32 rh = (OPJ_UINT32)(res->y1 - res->y0);	/* height of the resolution level computed */

	OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);

	h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
-----------------------------------------------------------------------------------------------

In my testcase, `opj_dwt_max_resolution(res, numres)` will return 0xFFFFFFB.

And `sizeof(obj_v4_t)` is 0x10.

Therefore, (0xFFFFFFB+5)*0x10 will integer overflow.

opj_aligned_malloc will allocate memory with size 0.

The 64-bit version of pdfium is calculated correctly as 0x100000000.



This vulnerability cause an out of bounds write.

File libopenjpeg20/dwt.c, line 624:
-----------------------------------------------------------------------------------------------
static void opj_v4dwt_interleave_h(opj_v4dwt_t* restrict w, OPJ_FLOAT32* restrict a, OPJ_INT32 x, OPJ_INT32 size){
	OPJ_FLOAT32* restrict bi = (OPJ_FLOAT32*) (w->wavelet + w->cas);
	OPJ_INT32 count = w->sn;
	OPJ_INT32 i, k;

	for(k = 0; k < 2; ++k){
		if ( count + 3 * x < size && ((size_t) a & 0x0f) == 0 && ((size_t) bi & 0x0f) == 0 && (x & 0x0f) == 0 ) {
			/* Fast code path */
			for(i = 0; i < count; ++i){
				OPJ_INT32 j = i;
				bi[i*8    ] = a[j];    <--- out of bound write
				j += x;
				bi[i*8 + 1] = a[j];
				j += x;
				bi[i*8 + 2] = a[j];
				j += x;
				bi[i*8 + 3] = a[j];
			}
		}
-----------------------------------------------------------------------------------------------




VERSION
Chrome Version: 51.0.2704.106 Stable x86
Operating System: Windows 10 x64




REPRODUCTION CASE
Attached as poc.pdf




FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
(129c.1a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\Visualizers.
eax=00000000 ebx=07fffffe ecx=5a705008 edx=7fffb020 esi=0ffffffb edi=0ffffffb
eip=6acfac05 esp=0028c2cc ebp=0028c2f4 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293
chrome_child!opj_v4dwt_interleave_h+0xc1:
6acfac05 8941f8          mov     dword ptr [ecx-8],eax ds:002b:5a705000=????????
0:000> u
chrome_child!opj_v4dwt_interleave_h+0xc1 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\dwt.c @ 647]:
6acfac05 8941f8          mov     dword ptr [ecx-8],eax
6acfac08 8b45f8          mov     eax,dword ptr [ebp-8]
6acfac0b 03c7            add     eax,edi
6acfac0d 3bc6            cmp     eax,esi
6acfac0f 7d25            jge     chrome_child!opj_v4dwt_interleave_h+0xf2 (6acfac36)
6acfac11 8b45f4          mov     eax,dword ptr [ebp-0Ch]
6acfac14 8b00            mov     eax,dword ptr [eax]
6acfac16 8941fc          mov     dword ptr [ecx-4],eax
0:000> dd ecx-8
5a705000  ???????? ???????? ???????? ????????
5a705010  ???????? ???????? ???????? ????????
5a705020  ???????? ???????? ???????? ????????
5a705030  ???????? ???????? ???????? ????????
5a705040  ???????? ???????? ???????? ????????
5a705050  ???????? ???????? ???????? ????????
5a705060  ???????? ???????? ???????? ????????
5a705070  ???????? ???????? ???????? ????????
0:000> dd ecx-16
5a704ff2  00385975 50005975 a0005a70 ????????
5a705002  ???????? ???????? ???????? ????????
5a705012  ???????? ???????? ???????? ????????
5a705022  ???????? ???????? ???????? ????????
5a705032  ???????? ???????? ???????? ????????
5a705042  ???????? ???????? ???????? ????????
5a705052  ???????? ???????? ???????? ????????
5a705062  ???????? ???????? ???????? ????????
0:000> lmvm chrome_child
Browse full module list
start    end        module name
69270000 6bfcd000   chrome_child   (private pdb symbols)  c:\symbols\chrome_child.dll.pdb\6D0E46FFC0C040548A49826AD955CA2C1\chrome_child.dll.pdb
    Loaded symbol image file: C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll
    Image path: C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll
    Image name: chrome_child.dll
    Browse all global symbols  functions  data
    Timestamp:        Thu Jun 23 11:30:07 2016 (576B49AF)
    CheckSum:         02BDCB6D
    ImageSize:        02D5D000
    File version:     51.0.2704.106
    Product version:  51.0.2704.106
    File flags:       0 (Mask 17)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Google Inc.
    ProductName:      Google Chrome
    InternalName:     chrome_dll
    OriginalFilename: chrome.dll
    ProductVersion:   51.0.2704.106
    FileVersion:      51.0.2704.106
    FileDescription:  Google Chrome
    LegalCopyright:   Copyright 2015 Google Inc. All rights reserved.

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0028c2f4 6acfa4c3 0028c328 7fffb020 0ffffffb chrome_child!opj_v4dwt_interleave_h+0xc1 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\dwt.c @ 647]
01 0028c368 6acf8f7c 009d8628 00000001 0a769570 chrome_child!opj_dwt_decode_real+0x1a5 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\dwt.c @ 896]
02 0028c388 6acf8ed7 009f4d14 009f32b0 0099a5c0 chrome_child!opj_tcd_dwt_decode+0x53 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\tcd.c @ 1635]
03 0028c39c 6acf2cd5 000035b8 00a13010 000043c8 chrome_child!opj_tcd_decode_tile+0x7b [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\tcd.c @ 1317]
04 0028c3cc 6acf2e5d 0099a5c0 00000000 e68b2020 chrome_child!opj_j2k_decode_tile+0x5e [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 8069]
05 0028c420 6acf3509 0099a5c0 00993018 009960fc chrome_child!opj_j2k_decode_tiles+0x8e [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 9608]
06 0028c440 6acf29b1 0099a5c0 00a0a138 00993018 chrome_child!opj_j2k_exec+0x32 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 7290]
07 0028c474 6acf6a80 0099a5c0 00993018 009a13d0 chrome_child!opj_j2k_decode+0x4e [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 9808]
08 0028c494 6acefb06 0098d660 00993018 009a13d0 chrome_child!opj_jp2_decode+0x24 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c @ 1487]
09 0028c4ac 6acc65bb 009960d0 00993018 009a13d0 chrome_child!opj_decode+0x26 [c:\b\build\slave\win\build\src\third_party\pdfium\third_party\libopenjpeg20\openjpeg.c @ 412]
0a 0028e518 6acc609b 00a0a7c8 0000457b 6b833968 chrome_child!CJPX_Decoder::Init+0x183 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 757]
0b 0028e530 6acac323 00a0a7c8 0000457b 009dc390 chrome_child!CCodec_JpxModule::CreateDecoder+0x35 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 880]
0c 0028e578 6acaad48 009f09a8 009f0980 009cddd8 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x60 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 637]
0d 0028e5a4 6acacd92 009cdca0 009a1760 009cdc98 chrome_child!CPDF_DIBSource::CreateDecoder+0x209 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 594]
0e 0028e5c8 6aca0de9 00996070 009cddd8 00000001 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x15f [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 312]
0f 0028e5f4 6aca0e93 00000000 009da920 00000000 chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x60 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 286]
10 0028e630 6acacba8 009cddd8 00000000 00000000 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0x80 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 125]
11 0028e660 6acacb5f 009636b8 00992f28 009cdc98 chrome_child!CPDF_ImageLoaderHandle::Start+0x44 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1519]
12 0028e690 6ac995fe 00992f28 009cdc98 009636f4 chrome_child!CPDF_ImageLoader::Start+0x51 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1580]
13 0028e6e8 6ac990a4 00992f28 009a9df8 009cdea4 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0x70 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 343]
14 0028e6fc 6ac7b0d6 009a9df8 00992f28 009cdea4 chrome_child!CPDF_ImageRenderer::Start+0x6b [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 487]
15 0028e724 6ac7af52 00992f28 009cdea4 0028e818 chrome_child!CPDF_RenderStatus::ContinueSingleObject+0x91 [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 330]
16 0028e7a4 6ac57601 0028e818 009dce18 009f2710 chrome_child!CPDF_ProgressiveRenderer::Continue+0x1dd [c:\b\build\slave\win\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 1103]
17 0028e7e0 6ac597c0 009f2710 00975390 00000004 chrome_child!FPDF_RenderPage_Retail+0x206 [c:\b\build\slave\win\build\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 936]
18 0028e824 6a4386c7 009a1610 00975390 00000004 chrome_child!FPDF_RenderPageBitmap_Start+0xc5 [c:\b\build\slave\win\build\src\third_party\pdfium\fpdfsdk\fpdf_progressive.cpp @ 64]
19 0028e884 6a43c63e 0000002f 000003cb 009cde00 chrome_child!chrome_pdf::PDFiumEngine::ContinuePaint+0xed [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 2719]
1a 0028e918 6a442c4d 0028e9e4 009cca48 0028e944 chrome_child!chrome_pdf::PDFiumEngine::Paint+0x159 [c:\b\build\slave\win\build\src\pdf\pdfium\pdfium_engine.cc @ 958]
1b 0028ea18 6a447a33 0028ead0 0028ea4c 0028ea58 chrome_child!chrome_pdf::OutOfProcessInstance::OnPaint+0x187 [c:\b\build\slave\win\build\src\pdf\out_of_process_instance.cc @ 720]
...
 
poc.pdf
18.3 KB Download

Comment 1 by mbarbe...@chromium.org, Jul 14 2016

Cc: och...@chromium.org
Labels: Security_Severity-High Security_Impact-Stable OS-All
Owner: hong_zh...@foxitsoftware.com
Status: Assigned (was: Unconfirmed)
hong_zhang: Could you take a look at this?

Comment 2 by mbarbe...@chromium.org, Jul 14 2016

Components: Internals>Plugins>PDF

Comment 3 by sheriffbot@chromium.org, Jul 15 2016

Project Member
Labels: M-51

Comment 4 by sheriffbot@chromium.org, Jul 15 2016

Project Member
Labels: Pri-1

Comment 5 by gogil@stealien.com, Jul 19 2016

* Fix Suggestion
I refer to #625541

File libopenjpeg20/dwt.c, line 841:
-----------------------------------------------------------------------------------------------
OPJ_BOOL opj_dwt_decode_real(opj_tcd_tilecomp_t* restrict tilec, OPJ_UINT32 numres)
{
	opj_v4dwt_t h;
	opj_v4dwt_t v;

	opj_tcd_resolution_t* res = tilec->resolutions;

	OPJ_UINT32 rw = (OPJ_UINT32)(res->x1 - res->x0);	/* width of the resolution level computed */
	OPJ_UINT32 rh = (OPJ_UINT32)(res->y1 - res->y0);	/* height of the resolution level computed */

	OPJ_UINT32 w = (OPJ_UINT32)(tilec->x1 - tilec->x0);

+	OPJ_UINT32 mr = opj_dwt_max_resolution(res, numres);
+	if ((mr + 5) <= mr) {
+		return OPJ_FALSE;
+	}
+	mr += 5;
+	if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof(opj_v4_t) < mr) {
+		return OPJ_FALSE;
+	}
+
+	h.wavelet = (opj_v4_t*) opj_aligned_malloc(mr * sizeof(opj_v4_t));
-	h.wavelet = (opj_v4_t*) opj_aligned_malloc((opj_dwt_max_resolution(res, numres)+5) * sizeof(opj_v4_t));
-----------------------------------------------------------------------------------------------

You will be able to verify this patch with the 32bit version of pdfium_test(no ASAN, Please use windbg or gdb)

But on Ubuntu, Sometimes it fails. Because it uses too much memory.

I recommend that you test on Win64.

Comment 6 by sheriffbot@chromium.org, Jul 21 2016

Project Member
Labels: -M-51 M-52

Comment 7 by sheriffbot@chromium.org, Jul 29 2016

Project Member
hong_zhang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by tsepez@chromium.org, Jul 29 2016

@ochang, if you're up for it, I'm concerned that there's so much of this all over the place that we ought to add opj_alligned_malloc_2d() and _3d() using logic along the lines of FX_AllocOrDie2D() and ensure that we never do any multiplications inside a malloc() call.

Comment 9 by gogil@stealien.com, Jul 30 2016

That's a good point!

There is similar issue at r554172

openjpeg has several dangerous routine.


File libopenjpeg20/dwt.c, line 578:
-----------------------------------------------------------------------------------------------
	h.mem_count = opj_dwt_max_resolution(tr, numres);
	h.mem = (OPJ_INT32*)opj_aligned_malloc(h.mem_count * sizeof(OPJ_INT32));
-----------------------------------------------------------------------------------------------

File libopenjpeg20/t1.c, line 1185:
-----------------------------------------------------------------------------------------------
	t1->flags_stride=w+2;
	flagssize=t1->flags_stride * (h+2);

	if(flagssize > t1->flagssize){
		opj_aligned_free(t1->flags);
		t1->flags = (opj_flag_t*) opj_aligned_malloc(flagssize * sizeof(opj_flag_t));
-----------------------------------------------------------------------------------------------

File libopenjpeg20/jp2.c, line 972:
-----------------------------------------------------------------------------------------------
	nr_channels = color->jp2_pclr->nr_channels;

	old_comps = image->comps;
	new_comps = (opj_image_comp_t*)
			opj_malloc(nr_channels * sizeof(opj_image_comp_t));
-----------------------------------------------------------------------------------------------

Comment 10 by gogil@stealien.com, Jul 30 2016

Comment 12 by thestig@chromium.org, Aug 5 2016

Usually one hits "Publish+Mail Comments" on the code review to generate an email.

Comment 13 by gogil@stealien.com, Aug 5 2016

Done!

Comment 15 by thestig@chromium.org, Aug 5 2016

Cc: tsepez@chromium.org hong_zh...@foxitsoftware.com awhalley@chromium.org
Owner: ----
Status: Fixed (was: Assigned)
Same here - do we actually want to merge back to M53? M52?

Comment 16 by sheriffbot@chromium.org, Aug 6 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 17 by sheriffbot@chromium.org, Aug 8 2016

Project Member
Labels: Merge-Request-53

Comment 18 by dimu@chromium.org, Aug 8 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 19 by gov...@chromium.org, Aug 8 2016

+awhalley@, is this good to take in for this week M53 Beta release?

Comment 20 by awhalley@chromium.org, Aug 9 2016

Yep, good for M53, along with the other bugs bugs that have a PDFium roll: 624514, 628304, 628890

Comment 21 by gov...@chromium.org, Aug 9 2016

Approving merge to M53 branch 2785 based on comment #20. Please merge ASAP (latest by tomorrow, Tuesday 3:00 PM PT) so we can take it in for this week beta release.

Comment 22 by gov...@chromium.org, Aug 9 2016

Labels: -Merge-Review-53 Merge-Approved-53

Comment 23 by bugdroid1@chromium.org, Aug 9 2016

Project Member

Comment 24 by awhalley@chromium.org, Aug 9 2016

Labels: -Merge-Approved-53 merge-merged-2785

Comment 25 by awhalley@chromium.org, Aug 24 2016

Labels: reward-topanel

Comment 26 by awhalley@chromium.org, Aug 30 2016

Labels: -M-52 M-53 Release-0-M53

Comment 27 by awhalley@chromium.org, Sep 8 2016

Labels: -reward-topanel reward-unpaid reward-undefined

Comment 28 by awhalley@chromium.org, Sep 8 2016

Labels: -reward-undefined reward-3500

Comment 29 by awhalley@chromium.org, Sep 8 2016

Nice - $3,500 for this one.

Comment 30 by awhalley@chromium.org, Sep 14 2016

Labels: CVE-2016-5159

Comment 31 by awhalley@chromium.org, Sep 23 2016

Labels: -reward-unpaid reward-inprocess

Comment 32 by awhalley@chromium.org, Oct 28 2016

Labels: -reward-inprocess reward-unpaid

Comment 33 by awhalley@chromium.org, Oct 28 2016

Labels: -reward-unpaid reward-inprocess

Comment 34 by sheriffbot@chromium.org, Nov 12 2016

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 35 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment