Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate
Reported by
gogil@stealien.com,
Jul 16 2016
|
|||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
A heap buffer overflow vulnerability is present in the openjpeg.
File libopenjpeg20/tcd.c, line 842:
--------------------------------------------------------------------------------
689 OPJ_UINT32 l_nb_code_blocks_size;
...
842 l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
843
844 l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
845
846 if (! l_current_precinct->cblks.blocks) {
847 l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);
--------------------------------------------------------------------------------
In my testcase, I used an image with a l_current_precinct->cw == 0x2000, l_current_precinct->ch == 0x2000, sizeof_block == 0x40.
Therefore, 0x2000*0x2000*0x40 will integer overflow.
opj_malloc will allocate memory with size 0.
VERSION
latest pdfium_test
Ubuntu 16.04 x64
REPRODUCTION CASE
Attached as poc.pdf
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
/pdfium/pdfium/out/asan$ ./pdfium_test ./poc.pdf
Rendering PDF file ./poc.pdf.
=================================================================
==4828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc90 at pc 0x000000702fa4 bp 0x7ffe108f38a0 sp 0x7ffe108f3898
READ of size 8 at 0x60200000dc90 thread T0
#0 0x702fa3 in opj_tcd_code_block_dec_allocate ./out/asan/../../third_party/libopenjpeg20/tcd.c:1111
#1 0x6fa487 in opj_tcd_init_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1024
#2 0x6fa963 in opj_tcd_init_decode_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1056
#3 0x64a3b5 in opj_j2k_read_tile_header ./out/asan/../../third_party/libopenjpeg20/j2k.c:8020
#4 0x67c55d in opj_j2k_decode_tiles ./out/asan/../../third_party/libopenjpeg20/j2k.c:9582
#5 0x64559d in opj_j2k_exec ./out/asan/../../third_party/libopenjpeg20/j2k.c:7290 (discriminator 1)
#6 0x65868e in opj_j2k_decode ./out/asan/../../third_party/libopenjpeg20/j2k.c:9810
#7 0x690b9e in opj_jp2_decode ./out/asan/../../third_party/libopenjpeg20/jp2.c:1488
#8 0x6ad856 in opj_decode ./out/asan/../../third_party/libopenjpeg20/openjpeg.c:412
#9 0x2986c7e in _ZN12CJPX_Decoder4InitEPKhj ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764
#10 0x298a7c3 in _ZN16CCodec_JpxModule13CreateDecoderEPKhjP15CPDF_ColorSpace ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887 (discriminator 4)
#11 0x2712799 in _ZN14CPDF_DIBSource13LoadJpxBitmapEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634 (discriminator 1)
#12 0x2707709 in _ZN14CPDF_DIBSource13CreateDecoderEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593
#13 0x270d492 in _ZN14CPDF_DIBSource18StartLoadDIBSourceEP13CPDF_DocumentPK11CPDF_StreamiP15CPDF_DictionaryS6_iji ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311
#14 0x26e10b8 in _ZN20CPDF_ImageCacheEntry20StartGetCachedBitmapEP15CPDF_DictionaryS1_ijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282
#15 0x26e0a94 in _ZN20CPDF_PageRenderCache20StartGetCachedBitmapEP11CPDF_StreamijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
#16 0x27210e8 in _ZN22CPDF_ImageLoaderHandle5StartEP16CPDF_ImageLoaderPK16CPDF_ImageObjectP20CPDF_PageRenderCacheijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502 (discriminator 1)
#17 0x27223ee in _ZN16CPDF_ImageLoader5StartEPK16CPDF_ImageObjectP20CPDF_PageRenderCachePNSt3__110unique_ptrI22CPDF_ImageLoaderHandleNS5_14default_deleteIS7_EEEEijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1565
#18 0x26f1053 in _ZN18CPDF_ImageRenderer18StartLoadDIBSourceEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:360
#19 0x26e8b40 in _ZN18CPDF_ImageRenderer5StartEP17CPDF_RenderStatusPK15CPDF_PageObjectPK10CFX_Matrixii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:507
#20 0x26c3133 in _ZN17CPDF_RenderStatus20ContinueSingleObjectEPK15CPDF_PageObjectPK10CFX_MatrixP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297 (discriminator 1)
#21 0x26cf72a in _ZN24CPDF_ProgressiveRenderer8ContinueEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057 (discriminator 1)
#22 0x26cde4a in _ZN24CPDF_ProgressiveRenderer5StartEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018
#23 0x247fe65 in _Z22FPDF_RenderPage_RetailP14CRenderContextPviiiiiiiP19IFSDK_PAUSE_Adapter ./out/asan/../../fpdfsdk/fpdfview.cpp:885
#24 0x247ec70 in FPDF_RenderPageBitmap ./out/asan/../../fpdfsdk/fpdfview.cpp:621
#25 0x50663b in _Z10RenderPageRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKPvSA_iRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:551
#26 0x508f7c in _Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:735
#27 0x50bd49 in main ./out/asan/../../samples/pdfium_test.cc:875 (discriminator 1)
#28 0x7f29895c082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
0x60200000dc91 is located 0 bytes to the right of 1-byte region [0x60200000dc90,0x60200000dc91)
allocated by thread T0 here:
#0 0x4c105c in __interceptor_malloc ??:?
#1 0x6f9248 in opj_tcd_init_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:947
#2 0x6fa963 in opj_tcd_init_decode_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1056
#3 0x64a3b5 in opj_j2k_read_tile_header ./out/asan/../../third_party/libopenjpeg20/j2k.c:8020
#4 0x67c55d in opj_j2k_decode_tiles ./out/asan/../../third_party/libopenjpeg20/j2k.c:9582
#5 0x64559d in opj_j2k_exec ./out/asan/../../third_party/libopenjpeg20/j2k.c:7290 (discriminator 1)
#6 0x65868e in opj_j2k_decode ./out/asan/../../third_party/libopenjpeg20/j2k.c:9810
#7 0x690b9e in opj_jp2_decode ./out/asan/../../third_party/libopenjpeg20/jp2.c:1488
#8 0x6ad856 in opj_decode ./out/asan/../../third_party/libopenjpeg20/openjpeg.c:412
#9 0x2986c7e in _ZN12CJPX_Decoder4InitEPKhj ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764
#10 0x298a7c3 in _ZN16CCodec_JpxModule13CreateDecoderEPKhjP15CPDF_ColorSpace ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887 (discriminator 4)
#11 0x2712799 in _ZN14CPDF_DIBSource13LoadJpxBitmapEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634 (discriminator 1)
#12 0x2707709 in _ZN14CPDF_DIBSource13CreateDecoderEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593
#13 0x270d492 in _ZN14CPDF_DIBSource18StartLoadDIBSourceEP13CPDF_DocumentPK11CPDF_StreamiP15CPDF_DictionaryS6_iji ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311
#14 0x26e10b8 in _ZN20CPDF_ImageCacheEntry20StartGetCachedBitmapEP15CPDF_DictionaryS1_ijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282
#15 0x26e0a94 in _ZN20CPDF_PageRenderCache20StartGetCachedBitmapEP11CPDF_StreamijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
#16 0x27210e8 in _ZN22CPDF_ImageLoaderHandle5StartEP16CPDF_ImageLoaderPK16CPDF_ImageObjectP20CPDF_PageRenderCacheijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502 (discriminator 1)
#17 0x27223ee in _ZN16CPDF_ImageLoader5StartEPK16CPDF_ImageObjectP20CPDF_PageRenderCachePNSt3__110unique_ptrI22CPDF_ImageLoaderHandleNS5_14default_deleteIS7_EEEEijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1565
#18 0x26f1053 in _ZN18CPDF_ImageRenderer18StartLoadDIBSourceEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:360
#19 0x26e8b40 in _ZN18CPDF_ImageRenderer5StartEP17CPDF_RenderStatusPK15CPDF_PageObjectPK10CFX_Matrixii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:507
#20 0x26c3133 in _ZN17CPDF_RenderStatus20ContinueSingleObjectEPK15CPDF_PageObjectPK10CFX_MatrixP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297 (discriminator 1)
#21 0x26cf72a in _ZN24CPDF_ProgressiveRenderer8ContinueEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057 (discriminator 1)
#22 0x26cde4a in _ZN24CPDF_ProgressiveRenderer5StartEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018
#23 0x247fe65 in _Z22FPDF_RenderPage_RetailP14CRenderContextPviiiiiiiP19IFSDK_PAUSE_Adapter ./out/asan/../../fpdfsdk/fpdfview.cpp:885
#24 0x247ec70 in FPDF_RenderPageBitmap ./out/asan/../../fpdfsdk/fpdfview.cpp:621
#25 0x50663b in _Z10RenderPageRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKPvSA_iRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:551
#26 0x508f7c in _Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:735
#27 0x50bd49 in main ./out/asan/../../samples/pdfium_test.cc:875 (discriminator 1)
#28 0x7f29895c082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/dd/pdfium/pdfium/out/asan/pdfium_test+0x702fa3)
Shadow bytes around the buggy address:
0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b90: fa fa[01]fa fa fa 00 fa fa fa 00 04 fa fa 03 fa
0x0c047fff9ba0: fa fa 03 fa fa fa 00 04 fa fa 00 04 fa fa 00 00
0x0c047fff9bb0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9bc0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 04 fa
0x0c047fff9bd0: fa fa 04 fa fa fa fd fa fa fa 01 fa fa fa 00 fa
0x0c047fff9be0: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4828==ABORTING
,
Jul 18 2016
Thank you gogil. I'm confirming this bug with clusterfuzz (https://cluster-fuzz.appspot.com/testcase?key=6379260017377280)
,
Jul 18 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4658093640384512
,
Jul 18 2016
I can confirm the heap-buffer-overflow crash on ubuntu. hong_zhang@, this looks related to 628304. Can you take a look? Thanks!
,
Jul 18 2016
,
Jul 19 2016
* Fix Suggestion
I refer to #625541
File libopenjpeg20/tcd.c, line 939:
--------------------------------------------------------------------------------
l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn);
l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn);
+ if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) {
+ return OPJ_FALSE;
+ }
l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
/*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch); */
+ if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) {
+ return OPJ_FALSE;
+ }
l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
if (! l_current_precinct->cblks.blocks) {
l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);
--------------------------------------------------------------------------------
,
Jul 19 2016
,
Jul 19 2016
,
Jul 21 2016
,
Jul 31 2016
hong_zhang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 4 2016
Review URL: https://codereview.chromium.org/2212973002
,
Aug 4 2016
Thanks for the patch! I'll let ochang@ take care of it.
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2b7d329e0a69e97cd3dc2bf267fb96e40a7880a4 commit 2b7d329e0a69e97cd3dc2bf267fb96e40a7880a4 Author: thestig <thestig@chromium.org> Date: Fri Aug 05 22:06:00 2016 Roll PDFium 32e693f..135b998 https://pdfium.googlesource.com/pdfium.git/+log/32e693f..135b998 BUG= 628304 , 628890 TBR=tsepez@chromium.org Review-Url: https://codereview.chromium.org/2223573002 Cr-Commit-Position: refs/heads/master@{#410182} [modify] https://crrev.com/2b7d329e0a69e97cd3dc2bf267fb96e40a7880a4/DEPS
,
Aug 5 2016
Do we actually want to merge back to M53? M52?
,
Aug 6 2016
,
Aug 8 2016
,
Aug 8 2016
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
,
Aug 8 2016
+awhalley@, is this good to take in for this week M53 Beta release?
,
Aug 9 2016
Yep, good for M53, along with the other bugs bugs that have a PDFium roll: 624514, 628304, 628890
,
Aug 9 2016
Approving merge to M53 branch 2785 based on comment #19. Please merge ASAP (latest by tomorrow, Tuesday 3:00 PM PT) so we can take it in for this week beta release.
,
Aug 9 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/205c3faca7f4c678fddf6e3811ec6fe9b0fd7031 commit 205c3faca7f4c678fddf6e3811ec6fe9b0fd7031 Author: Oliver Chang <ochang@google.com> Date: Tue Aug 09 16:01:16 2016
,
Aug 24 2016
,
Aug 30 2016
,
Sep 8 2016
,
Sep 8 2016
,
Sep 8 2016
Congrats, $3,500 for this report. Cheers!
,
Sep 14 2016
,
Sep 23 2016
,
Oct 28 2016
,
Oct 28 2016
,
Nov 12 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by gogil@stealien.com
, Jul 16 2016typo mistake. `line 842` => `line 942` File libopenjpeg20/tcd.c, line 942: -------------------------------------------------------------------------------- 689 OPJ_UINT32 l_nb_code_blocks_size; ... 942 l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch; 943 944 l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block; 945 946 if (! l_current_precinct->cblks.blocks) { 947 l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size); --------------------------------------------------------------------------------