New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner: ----
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 628890: Security: heap-buffer-overflow in opj_tcd_code_block_dec_allocate

Reported by gogil@stealien.com, Jul 16 2016

Issue description

VULNERABILITY DETAILS

A heap buffer overflow vulnerability is present in the openjpeg.


File libopenjpeg20/tcd.c, line 842:
--------------------------------------------------------------------------------
689	OPJ_UINT32 l_nb_code_blocks_size;
	...
842		l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
843		
844		l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
845		
846		if (! l_current_precinct->cblks.blocks) {
847			l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);
--------------------------------------------------------------------------------

In my testcase, I used an image with a l_current_precinct->cw == 0x2000, l_current_precinct->ch == 0x2000, sizeof_block == 0x40.

Therefore, 0x2000*0x2000*0x40 will integer overflow.

opj_malloc will allocate memory with size 0.




VERSION
latest pdfium_test
Ubuntu 16.04 x64



REPRODUCTION CASE
Attached as poc.pdf



FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
/pdfium/pdfium/out/asan$ ./pdfium_test ./poc.pdf
Rendering PDF file ./poc.pdf.
=================================================================
==4828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc90 at pc 0x000000702fa4 bp 0x7ffe108f38a0 sp 0x7ffe108f3898
READ of size 8 at 0x60200000dc90 thread T0
    #0 0x702fa3 in opj_tcd_code_block_dec_allocate ./out/asan/../../third_party/libopenjpeg20/tcd.c:1111
    #1 0x6fa487 in opj_tcd_init_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1024
    #2 0x6fa963 in opj_tcd_init_decode_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1056
    #3 0x64a3b5 in opj_j2k_read_tile_header ./out/asan/../../third_party/libopenjpeg20/j2k.c:8020
    #4 0x67c55d in opj_j2k_decode_tiles ./out/asan/../../third_party/libopenjpeg20/j2k.c:9582
    #5 0x64559d in opj_j2k_exec ./out/asan/../../third_party/libopenjpeg20/j2k.c:7290 (discriminator 1)
    #6 0x65868e in opj_j2k_decode ./out/asan/../../third_party/libopenjpeg20/j2k.c:9810
    #7 0x690b9e in opj_jp2_decode ./out/asan/../../third_party/libopenjpeg20/jp2.c:1488
    #8 0x6ad856 in opj_decode ./out/asan/../../third_party/libopenjpeg20/openjpeg.c:412
    #9 0x2986c7e in _ZN12CJPX_Decoder4InitEPKhj ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764
    #10 0x298a7c3 in _ZN16CCodec_JpxModule13CreateDecoderEPKhjP15CPDF_ColorSpace ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887 (discriminator 4)
    #11 0x2712799 in _ZN14CPDF_DIBSource13LoadJpxBitmapEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634 (discriminator 1)
    #12 0x2707709 in _ZN14CPDF_DIBSource13CreateDecoderEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593
    #13 0x270d492 in _ZN14CPDF_DIBSource18StartLoadDIBSourceEP13CPDF_DocumentPK11CPDF_StreamiP15CPDF_DictionaryS6_iji ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311
    #14 0x26e10b8 in _ZN20CPDF_ImageCacheEntry20StartGetCachedBitmapEP15CPDF_DictionaryS1_ijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282
    #15 0x26e0a94 in _ZN20CPDF_PageRenderCache20StartGetCachedBitmapEP11CPDF_StreamijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
    #16 0x27210e8 in _ZN22CPDF_ImageLoaderHandle5StartEP16CPDF_ImageLoaderPK16CPDF_ImageObjectP20CPDF_PageRenderCacheijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502 (discriminator 1)
    #17 0x27223ee in _ZN16CPDF_ImageLoader5StartEPK16CPDF_ImageObjectP20CPDF_PageRenderCachePNSt3__110unique_ptrI22CPDF_ImageLoaderHandleNS5_14default_deleteIS7_EEEEijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1565
    #18 0x26f1053 in _ZN18CPDF_ImageRenderer18StartLoadDIBSourceEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:360
    #19 0x26e8b40 in _ZN18CPDF_ImageRenderer5StartEP17CPDF_RenderStatusPK15CPDF_PageObjectPK10CFX_Matrixii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:507
    #20 0x26c3133 in _ZN17CPDF_RenderStatus20ContinueSingleObjectEPK15CPDF_PageObjectPK10CFX_MatrixP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297 (discriminator 1)
    #21 0x26cf72a in _ZN24CPDF_ProgressiveRenderer8ContinueEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057 (discriminator 1)
    #22 0x26cde4a in _ZN24CPDF_ProgressiveRenderer5StartEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018
    #23 0x247fe65 in _Z22FPDF_RenderPage_RetailP14CRenderContextPviiiiiiiP19IFSDK_PAUSE_Adapter ./out/asan/../../fpdfsdk/fpdfview.cpp:885
    #24 0x247ec70 in FPDF_RenderPageBitmap ./out/asan/../../fpdfsdk/fpdfview.cpp:621
    #25 0x50663b in _Z10RenderPageRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKPvSA_iRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:551
    #26 0x508f7c in _Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:735
    #27 0x50bd49 in main ./out/asan/../../samples/pdfium_test.cc:875 (discriminator 1)
    #28 0x7f29895c082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

0x60200000dc91 is located 0 bytes to the right of 1-byte region [0x60200000dc90,0x60200000dc91)
allocated by thread T0 here:
    #0 0x4c105c in __interceptor_malloc ??:?
    #1 0x6f9248 in opj_tcd_init_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:947
    #2 0x6fa963 in opj_tcd_init_decode_tile ./out/asan/../../third_party/libopenjpeg20/tcd.c:1056
    #3 0x64a3b5 in opj_j2k_read_tile_header ./out/asan/../../third_party/libopenjpeg20/j2k.c:8020
    #4 0x67c55d in opj_j2k_decode_tiles ./out/asan/../../third_party/libopenjpeg20/j2k.c:9582
    #5 0x64559d in opj_j2k_exec ./out/asan/../../third_party/libopenjpeg20/j2k.c:7290 (discriminator 1)
    #6 0x65868e in opj_j2k_decode ./out/asan/../../third_party/libopenjpeg20/j2k.c:9810
    #7 0x690b9e in opj_jp2_decode ./out/asan/../../third_party/libopenjpeg20/jp2.c:1488
    #8 0x6ad856 in opj_decode ./out/asan/../../third_party/libopenjpeg20/openjpeg.c:412
    #9 0x2986c7e in _ZN12CJPX_Decoder4InitEPKhj ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764
    #10 0x298a7c3 in _ZN16CCodec_JpxModule13CreateDecoderEPKhjP15CPDF_ColorSpace ./out/asan/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887 (discriminator 4)
    #11 0x2712799 in _ZN14CPDF_DIBSource13LoadJpxBitmapEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634 (discriminator 1)
    #12 0x2707709 in _ZN14CPDF_DIBSource13CreateDecoderEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593
    #13 0x270d492 in _ZN14CPDF_DIBSource18StartLoadDIBSourceEP13CPDF_DocumentPK11CPDF_StreamiP15CPDF_DictionaryS6_iji ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311
    #14 0x26e10b8 in _ZN20CPDF_ImageCacheEntry20StartGetCachedBitmapEP15CPDF_DictionaryS1_ijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282
    #15 0x26e0a94 in _ZN20CPDF_PageRenderCache20StartGetCachedBitmapEP11CPDF_StreamijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
    #16 0x27210e8 in _ZN22CPDF_ImageLoaderHandle5StartEP16CPDF_ImageLoaderPK16CPDF_ImageObjectP20CPDF_PageRenderCacheijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502 (discriminator 1)
    #17 0x27223ee in _ZN16CPDF_ImageLoader5StartEPK16CPDF_ImageObjectP20CPDF_PageRenderCachePNSt3__110unique_ptrI22CPDF_ImageLoaderHandleNS5_14default_deleteIS7_EEEEijiP17CPDF_RenderStatusii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1565
    #18 0x26f1053 in _ZN18CPDF_ImageRenderer18StartLoadDIBSourceEv ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:360
    #19 0x26e8b40 in _ZN18CPDF_ImageRenderer5StartEP17CPDF_RenderStatusPK15CPDF_PageObjectPK10CFX_Matrixii ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:507
    #20 0x26c3133 in _ZN17CPDF_RenderStatus20ContinueSingleObjectEPK15CPDF_PageObjectPK10CFX_MatrixP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297 (discriminator 1)
    #21 0x26cf72a in _ZN24CPDF_ProgressiveRenderer8ContinueEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057 (discriminator 1)
    #22 0x26cde4a in _ZN24CPDF_ProgressiveRenderer5StartEP9IFX_Pause ./out/asan/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018
    #23 0x247fe65 in _Z22FPDF_RenderPage_RetailP14CRenderContextPviiiiiiiP19IFSDK_PAUSE_Adapter ./out/asan/../../fpdfsdk/fpdfview.cpp:885
    #24 0x247ec70 in FPDF_RenderPageBitmap ./out/asan/../../fpdfsdk/fpdfview.cpp:621
    #25 0x50663b in _Z10RenderPageRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERKPvSA_iRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:551
    #26 0x508f7c in _Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_ ./out/asan/../../samples/pdfium_test.cc:735
    #27 0x50bd49 in main ./out/asan/../../samples/pdfium_test.cc:875 (discriminator 1)
    #28 0x7f29895c082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow (/dd/pdfium/pdfium/out/asan/pdfium_test+0x702fa3)
Shadow bytes around the buggy address:
  0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b90: fa fa[01]fa fa fa 00 fa fa fa 00 04 fa fa 03 fa
  0x0c047fff9ba0: fa fa 03 fa fa fa 00 04 fa fa 00 04 fa fa 00 00
  0x0c047fff9bb0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9bc0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 04 fa
  0x0c047fff9bd0: fa fa 04 fa fa fa fd fa fa fa 01 fa fa fa 00 fa
  0x0c047fff9be0: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4828==ABORTING
 
poc.pdf
2.3 KB Download

Comment 1 by gogil@stealien.com, Jul 16 2016

typo mistake.
`line 842` => `line 942`


File libopenjpeg20/tcd.c, line 942:
--------------------------------------------------------------------------------
689	OPJ_UINT32 l_nb_code_blocks_size;
	...
942		l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
943		
944		l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;
945		
946		if (! l_current_precinct->cblks.blocks) {
947			l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);
--------------------------------------------------------------------------------

Comment 2 by ta...@google.com, Jul 18 2016

Thank you gogil. I'm confirming this bug with clusterfuzz (https://cluster-fuzz.appspot.com/testcase?key=6379260017377280)

Comment 3 by ClusterFuzz, Jul 18 2016

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4658093640384512

Comment 4 by ta...@google.com, Jul 18 2016

Cc: och...@chromium.org
Components: Infra>Client>Pdfium
Labels: Security_Severity-High Security_Impact-Stable OS-All
Owner: hong_zh...@foxitsoftware.com
Status: Assigned (was: Unconfirmed)
I can confirm the heap-buffer-overflow crash on ubuntu. hong_zhang@, this looks related to 628304. Can you take a look? Thanks!

Comment 5 by mbarbe...@chromium.org, Jul 18 2016

Components: -Infra>Client>Pdfium Internals>Plugins>PDF

Comment 6 by gogil@stealien.com, Jul 19 2016

* Fix Suggestion
I refer to #625541

File libopenjpeg20/tcd.c, line 939:
--------------------------------------------------------------------------------
		l_current_precinct->cw = (OPJ_UINT32)((brcblkxend - tlcblkxstart) >> cblkwidthexpn);
		l_current_precinct->ch = (OPJ_UINT32)((brcblkyend - tlcblkystart) >> cblkheightexpn);

+		if (l_current_precinct->cw && ((OPJ_UINT32)-1) / l_current_precinct->cw < l_current_precinct->ch) {
+			return OPJ_FALSE;
+		}
		l_nb_code_blocks = l_current_precinct->cw * l_current_precinct->ch;
		/*fprintf(stderr, "\t\t\t\t precinct_cw = %d x recinct_ch = %d\n",l_current_precinct->cw, l_current_precinct->ch);      */

+		if (((OPJ_UINT32)-1) / (OPJ_UINT32)sizeof_block < l_nb_code_blocks) {
+			return OPJ_FALSE;
+		}
		l_nb_code_blocks_size = l_nb_code_blocks * (OPJ_UINT32)sizeof_block;

		if (! l_current_precinct->cblks.blocks) {
			l_current_precinct->cblks.blocks = opj_malloc(l_nb_code_blocks_size);
--------------------------------------------------------------------------------

Comment 7 by sheriffbot@chromium.org, Jul 19 2016

Project Member
Labels: M-51

Comment 8 by sheriffbot@chromium.org, Jul 19 2016

Project Member
Labels: Pri-1

Comment 9 by sheriffbot@chromium.org, Jul 21 2016

Project Member
Labels: -M-51 M-52

Comment 10 by sheriffbot@chromium.org, Jul 31 2016

Project Member
hong_zhang: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by thestig@chromium.org, Aug 4 2016

Thanks for the patch! I'll let ochang@ take care of it.

Comment 14 by thestig@chromium.org, Aug 5 2016

Cc: tsepez@chromium.org hong_zh...@foxitsoftware.com awhalley@chromium.org
Owner: ----
Status: Fixed (was: Assigned)
Do we actually want to merge back to M53? M52?

Comment 15 by sheriffbot@chromium.org, Aug 6 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by sheriffbot@chromium.org, Aug 8 2016

Project Member
Labels: Merge-Request-53

Comment 17 by dimu@chromium.org, Aug 8 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 18 by gov...@chromium.org, Aug 8 2016

+awhalley@, is this good to take in for this week M53 Beta release?

Comment 19 by awhalley@chromium.org, Aug 9 2016

Yep, good for M53, along with the other bugs bugs that have a PDFium roll: 624514, 628304, 628890

Comment 20 by gov...@chromium.org, Aug 9 2016

Labels: -Merge-Review-53 Merge-Approved-53
Approving merge to M53 branch 2785 based on comment #19. Please merge ASAP (latest by tomorrow, Tuesday 3:00 PM PT) so we can take it in for this week beta release.

Comment 21 by awhalley@chromium.org, Aug 9 2016

Labels: -Merge-Approved-53 merge-merged-2785
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/205c3faca7f4c678fddf6e3811ec6fe9b0fd7031

commit 205c3faca7f4c678fddf6e3811ec6fe9b0fd7031
Author: Oliver Chang <ochang@google.com>
Date: Tue Aug 09 16:01:16 2016

Comment 22 by awhalley@chromium.org, Aug 24 2016

Labels: reward-topanel

Comment 23 by awhalley@chromium.org, Aug 30 2016

Labels: -M-52 M-53 Release-0-M53

Comment 24 by awhalley@chromium.org, Sep 8 2016

Labels: -reward-topanel reward-unpaid reward-undefined

Comment 25 by awhalley@chromium.org, Sep 8 2016

Labels: -reward-undefined reward-3500

Comment 26 by awhalley@chromium.org, Sep 8 2016

Congrats, $3,500 for this report.  Cheers!

Comment 27 by awhalley@chromium.org, Sep 14 2016

Labels: CVE-2016-5158

Comment 28 by awhalley@chromium.org, Sep 23 2016

Labels: -reward-unpaid reward-inprocess

Comment 29 by awhalley@chromium.org, Oct 28 2016

Labels: -reward-inprocess reward-unpaid

Comment 30 by awhalley@chromium.org, Oct 28 2016

Labels: -reward-unpaid reward-inprocess

Comment 31 by sheriffbot@chromium.org, Nov 12 2016

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment