Issue metadata
Sign in to add a comment
|
Security: PDFium Heap Buffer Overflow in opj_dwt_decode Function
Reported by
stackexp...@gmail.com,
Aug 1 2016
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Title: PDFium Heap Buffer Overflow (Out-Of-Bounds Write) in opj_dwt_decode Function. This vulnerability was caused by the malformed JPEG2000 image file. This vulnerability was tested on https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-408781.zip?generation=1469844064141000&alt=media ----------------------------- AddressSanitizer Information ----------------------------- ==22840==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0ec01398 at pc 0x0166009c bp 0xdeadbeef sp 0x001cc0d0 WRITE of size 4 at 0x0ec01398 thread T0 #0 0x166009b in opj_dwt_decode+0xefb (D:\asan-win32-release-408781\pdfium_test.exe+0x99009b) #1 0x1656507 in opj_tcd_decode_tile+0x3e7 (D:\asan-win32-release-408781\pdfium_test.exe+0x986507) #2 0x161cd4e in opj_j2k_decode_tile+0x1ae (D:\asan-win32-release-408781\pdfium_test.exe+0x94cd4e) #3 0x1635600 in opj_j2k_write_tile+0xddd0 (D:\asan-win32-release-408781\pdfium_test.exe+0x965600) #4 0x1621df0 in opj_j2k_decode+0xe0 (D:\asan-win32-release-408781\pdfium_test.exe+0x951df0) #5 0x163eb8a in opj_jp2_decode+0x3a (D:\asan-win32-release-408781\pdfium_test.exe+0x96eb8a) #6 0x160d0ad in opj_decode+0x5d (D:\asan-win32-release-408781\pdfium_test.exe+0x93d0ad) #7 0x14bb080 in CJPX_Decoder::Init+0x610 (D:\asan-win32-release-408781\pdfium_test.exe+0x7eb080) #8 0x14bd36f in CCodec_JpxModule::CreateDecoder+0x9f (D:\asan-win32-release-408781\pdfium_test.exe+0x7ed36f) #9 0x13f82db in CPDF_DIBSource::LoadJpxBitmap+0x12b (D:\asan-win32-release-408781\pdfium_test.exe+0x7282db) #10 0x13f0edb in CPDF_DIBSource::CreateDecoder+0x3ab (D:\asan-win32-release-408781\pdfium_test.exe+0x720edb) #11 0x13f4d02 in CPDF_DIBSource::StartLoadDIBSource+0x492 (D:\asan-win32-release-408781\pdfium_test.exe+0x724d02) #12 0x136b7d0 in CPDF_ImageCacheEntry::StartGetCachedBitmap+0x120 (D:\asan-win32-release-408781\pdfium_test.exe+0x69b7d0) #13 0x136b1aa in CPDF_PageRenderCache::StartGetCachedBitmap+0x44a (D:\asan-win32-release-408781\pdfium_test.exe+0x69b1aa) #14 0x13ffa91 in CPDF_ImageLoaderHandle::Start+0x101 (D:\asan-win32-release-408781\pdfium_test.exe+0x72fa91) #15 0x1400843 in CPDF_ImageLoader::Start+0x133 (D:\asan-win32-release-408781\pdfium_test.exe+0x730843) #16 0x1394aaa in CPDF_ImageRenderer::StartLoadDIBSource+0x22a (D:\asan-win32-release-408781\pdfium_test.exe+0x6c4aaa) #17 0x1390a20 in CPDF_ImageRenderer::Start+0x170 (D:\asan-win32-release-408781\pdfium_test.exe+0x6c0a20) #18 0x12ee90c in CPDF_RenderStatus::ContinueSingleObject+0x28c (D:\asan-win32-release-408781\pdfium_test.exe+0x61e90c) #19 0x12f89be in CPDF_ProgressiveRenderer::Continue+0xbce (D:\asan-win32-release-408781\pdfium_test.exe+0x6289be) #20 0x1107a14 in FPDF_RenderPage_Retail+0x6b4 (D:\asan-win32-release-408781\pdfium_test.exe+0x437a14) #21 0x11080f6 in FPDF_RenderPageBitmap+0xe6 (D:\asan-win32-release-408781\pdfium_test.exe+0x4380f6) #22 0x10d797e in RenderPage+0x78e (D:\asan-win32-release-408781\pdfium_test.exe+0x40797e) #23 0x10da000 in RenderPdf+0x450 (D:\asan-win32-release-408781\pdfium_test.exe+0x40a000) #24 0x10db53b in main+0xf9b (D:\asan-win32-release-408781\pdfium_test.exe+0x40b53b) #25 0x40d0e4a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255 #26 0x75cc3389 in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd73389) #27 0x778f9a01 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9a01) #28 0x778f99d4 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea99d4) 0x0ec01398 is located 1 bytes to the right of 1047-byte region [0x0ec00f80,0x0ec01397) allocated by thread T0 here: #0 0x40b8cc8 in malloc+0xb8 (D:\asan-win32-release-408781\pdfium_test.exe+0x33e8cc8) #1 0x40e985f in _aligned_offset_malloc_base d:\th\minkernel\crts\ucrt\src\appcrt\heap\align.cpp:113 #2 0x40e9806 in _aligned_malloc_base d:\th\minkernel\crts\ucrt\src\appcrt\heap\align.cpp:66 #3 0x165f420 in opj_dwt_decode+0x280 (D:\asan-win32-release-408781\pdfium_test.exe+0x98f420) #4 0x1656507 in opj_tcd_decode_tile+0x3e7 (D:\asan-win32-release-408781\pdfium_test.exe+0x986507) #5 0x161cd4e in opj_j2k_decode_tile+0x1ae (D:\asan-win32-release-408781\pdfium_test.exe+0x94cd4e) #6 0x1635600 in opj_j2k_write_tile+0xddd0 (D:\asan-win32-release-408781\pdfium_test.exe+0x965600) #7 0x1621df0 in opj_j2k_decode+0xe0 (D:\asan-win32-release-408781\pdfium_test.exe+0x951df0) #8 0x163eb8a in opj_jp2_decode+0x3a (D:\asan-win32-release-408781\pdfium_test.exe+0x96eb8a) #9 0x160d0ad in opj_decode+0x5d (D:\asan-win32-release-408781\pdfium_test.exe+0x93d0ad) #10 0x14bb080 in CJPX_Decoder::Init+0x610 (D:\asan-win32-release-408781\pdfium_test.exe+0x7eb080) #11 0x14bd36f in CCodec_JpxModule::CreateDecoder+0x9f (D:\asan-win32-release-408781\pdfium_test.exe+0x7ed36f) #12 0x13f82db in CPDF_DIBSource::LoadJpxBitmap+0x12b (D:\asan-win32-release-408781\pdfium_test.exe+0x7282db) #13 0x13f0edb in CPDF_DIBSource::CreateDecoder+0x3ab (D:\asan-win32-release-408781\pdfium_test.exe+0x720edb) #14 0x13f4d02 in CPDF_DIBSource::StartLoadDIBSource+0x492 (D:\asan-win32-release-408781\pdfium_test.exe+0x724d02) #15 0x136b7d0 in CPDF_ImageCacheEntry::StartGetCachedBitmap+0x120 (D:\asan-win32-release-408781\pdfium_test.exe+0x69b7d0) #16 0x136b1aa in CPDF_PageRenderCache::StartGetCachedBitmap+0x44a (D:\asan-win32-release-408781\pdfium_test.exe+0x69b1aa) #17 0x13ffa91 in CPDF_ImageLoaderHandle::Start+0x101 (D:\asan-win32-release-408781\pdfium_test.exe+0x72fa91) #18 0x1400843 in CPDF_ImageLoader::Start+0x133 (D:\asan-win32-release-408781\pdfium_test.exe+0x730843) #19 0x1394aaa in CPDF_ImageRenderer::StartLoadDIBSource+0x22a (D:\asan-win32-release-408781\pdfium_test.exe+0x6c4aaa) #20 0x1390a20 in CPDF_ImageRenderer::Start+0x170 (D:\asan-win32-release-408781\pdfium_test.exe+0x6c0a20) #21 0x12ee90c in CPDF_RenderStatus::ContinueSingleObject+0x28c (D:\asan-win32-release-408781\pdfium_test.exe+0x61e90c) #22 0x12f89be in CPDF_ProgressiveRenderer::Continue+0xbce (D:\asan-win32-release-408781\pdfium_test.exe+0x6289be) #23 0x1107a14 in FPDF_RenderPage_Retail+0x6b4 (D:\asan-win32-release-408781\pdfium_test.exe+0x437a14) #24 0x11080f6 in FPDF_RenderPageBitmap+0xe6 (D:\asan-win32-release-408781\pdfium_test.exe+0x4380f6) #25 0x10d797e in RenderPage+0x78e (D:\asan-win32-release-408781\pdfium_test.exe+0x40797e) #26 0x10da000 in RenderPdf+0x450 (D:\asan-win32-release-408781\pdfium_test.exe+0x40a000) #27 0x10db53b in main+0xf9b (D:\asan-win32-release-408781\pdfium_test.exe+0x40b53b) #28 0x40d0e4a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255 #29 0x75cc3389 in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd73389) SUMMARY: AddressSanitizer: heap-buffer-overflow (D:\asan-win32-release-408781\pdfium_test.exe+0x99009b) in opj_dwt_decode+0xefb Shadow bytes around the buggy address: 0x31d80220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d80230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d80240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d80250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d80260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x31d80270: 00 00 07[fa]fa fa fa fa fa fa fa fa fa fa fa fa 0x31d80280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x31d80290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d802a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d802b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x31d802c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==22840==ABORTING ----------------------------- WinDbg Exception Information ----------------------------- (2bb0.130c): Break instruction exception - code 80000003 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=56d78598 edx=00000000 esi=00000000 edi=00000000 eip=56d4ba58 esp=003dc710 ebp=003dc72c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 verifier!VerifierStopMessage+0x1f8: 56d4ba58 cc int 3 0:000> k ChildEBP RetAddr 003dc72c 56d49ee0 verifier!VerifierStopMessage+0x1f8 003dc790 56d46f11 verifier!AVrfpDphReportCorruptedBlock+0x2b0 003dc7a4 56d619ec verifier!AVrfpDphFindBusyMemoryNoCheck+0x141 003dc7b8 56d6174e verifier!_EH4_CallFilterFunc+0x12 003dc7e0 7791b81d verifier!_except_handler4+0x8e 003dc804 7791b7ef ntdll!ExecuteHandler2+0x26 003dc828 7791b790 ntdll!ExecuteHandler+0x24 003dc8b4 778d0163 ntdll!RtlDispatchException+0x127 003dc8b4 56d46e88 ntdll!KiUserExceptionDispatcher+0xf 003dcdcc 56d46f95 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8 003dcdf0 56d47240 verifier!AVrfpDphFindBusyMemory+0x15 003dce0c 56d49080 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20 003dce28 7799251c verifier!AVrfDebugPageHeapFree+0x90 003dce70 7794b2a2 ntdll!RtlDebugFreeHeap+0x2f 003dcf64 778f2ce5 ntdll!RtlpFreeHeap+0x5d 003dcf84 75cc14bd ntdll!RtlFreeHeap+0x142 *** WARNING: Unable to verify checksum for E:\PDFiumDev\repo\pdfium\build\Release\pdfium_test.exe 003dcf98 01439aec kernel32!HeapFree+0x14 003dcfac 0143517c pdfium_test!_free_base+0x1c [d:\th\minkernel\crts\ucrt\src\appcrt\heap\free_base.cpp @ 107] 003dcfb8 013142a4 pdfium_test!_aligned_free_base+0x17 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\align.cpp @ 474] 003dd014 01313a93 pdfium_test!opj_dwt_decode_tile+0x254 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\dwt.c @ 620] 003dd028 013127d6 pdfium_test!opj_dwt_decode+0x13 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\dwt.c @ 482] 003dd048 01312722 pdfium_test!opj_tcd_dwt_decode+0x46 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\tcd.c @ 1652] 003dd05c 0130b5a7 pdfium_test!opj_tcd_decode_tile+0x82 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\tcd.c @ 1336] 003dd08c 0130b7bd pdfium_test!opj_j2k_decode_tile+0x67 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\j2k.c @ 8073] 003dd0e0 013101b6 pdfium_test!opj_j2k_decode_tiles+0xcd [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\j2k.c @ 9614] 003dd100 0130b220 pdfium_test!opj_jp2_exec+0x36 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\jp2.c @ 2247] 003dd138 0130feb4 pdfium_test!opj_j2k_decode+0x50 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\j2k.c @ 9814] 003dd15c 01307b17 pdfium_test!opj_jp2_decode+0x24 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\jp2.c @ 1488] 003dd174 012ccf3f pdfium_test!opj_decode+0x27 [e:\pdfiumdev\repo\pdfium\third_party\libopenjpeg20\openjpeg.c @ 412] 003df1dc 012cc900 pdfium_test!CJPX_Decoder::Init+0x17f [e:\pdfiumdev\repo\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 764] 003df1f0 012b82c7 pdfium_test!CCodec_JpxModule::CreateDecoder+0x40 [e:\pdfiumdev\repo\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 887] 003df234 012b69f2 pdfium_test!CPDF_DIBSource::LoadJpxBitmap+0x67 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 627] 003df264 012b8f15 pdfium_test!CPDF_DIBSource::CreateDecoder+0x242 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 587] 003df288 01294737 pdfium_test!CPDF_DIBSource::StartLoadDIBSource+0x175 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 306] 003df2b4 0129483f pdfium_test!CPDF_ImageCacheEntry::StartGetCachedBitmap+0x67 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 284] 003df2e8 012b8d04 pdfium_test!CPDF_PageRenderCache::StartGetCachedBitmap+0xcf [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 131] 003df318 012b8caf pdfium_test!CPDF_ImageLoaderHandle::Start+0x44 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1495] 003df34c 01299df0 pdfium_test!CPDF_ImageLoader::Start+0x6f [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1557] 003df3a4 01299866 pdfium_test!CPDF_ImageRenderer::StartLoadDIBSource+0x70 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 375] 003df3b4 0127df03 pdfium_test!CPDF_ImageRenderer::Start+0x76 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 522] 003df3dc 0127dd14 pdfium_test!CPDF_RenderStatus::ContinueSingleObject+0xc3 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 297] 003df430 0124a49d pdfium_test!CPDF_ProgressiveRenderer::Continue+0x294 [e:\pdfiumdev\repo\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 1053] 003df46c 0124ad14 pdfium_test!FPDF_RenderPage_Retail+0x27d [e:\pdfiumdev\repo\pdfium\fpdfsdk\fpdfview.cpp @ 905] 003df4a8 01243149 pdfium_test!FPDF_RenderPageBitmap+0xa4 [e:\pdfiumdev\repo\pdfium\fpdfsdk\fpdfview.cpp @ 642] 003df5c8 01243598 pdfium_test!RenderPage+0x1b9 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 553] 003df6a4 012496ff pdfium_test!RenderPdf+0x2b8 [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 735] 003df7cc 0141e9b0 pdfium_test!main+0x3af [e:\pdfiumdev\repo\pdfium\samples\pdfium_test.cc @ 876] (Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74] 003df818 75cc338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264] 003df824 778f9a02 kernel32!BaseThreadInitThunk+0xe 003df864 778f99d5 ntdll!__RtlUserThreadStart+0x70 003df87c 00000000 ntdll!_RtlUserThreadStart+0x1b VERSION Chrome Version: asan-win32-release-408781.zip 59e7b40948030815a49af887b922b370ba048b8b (Build time: 2016-07-30 02:01:04, URL: https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-408781.zip?generation=1469844064141000&alt=media) Operating System: Windows 7 SP1 REPRODUCTION CASE See attachment. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Aug 1 2016
AddressSanitizer with symbol information.
=================================================================
==22410==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000917c at pc 0x000000d77677 bp 0x7ffd46b60290 sp 0x7ffd46b60288
WRITE of size 4 at 0x61900000917c thread T0
#0 0xd77676 in opj_dwt_interleave_v pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:273:11
#1 0xd6e9cf in opj_dwt_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:613:4
#2 0xd6dc24 in opj_dwt_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:482:9
#3 0xd6268e in opj_tcd_dwt_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/tcd.c:1637:31
#4 0xd61f1d in opj_tcd_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/tcd.c:1324:20
#5 0xcd7199 in opj_j2k_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:8069:15
#6 0xd0521d in opj_j2k_decode_tiles pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:9610:23
#7 0xccdbb1 in opj_j2k_exec pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:7290:41
#8 0xce0dee in opj_j2k_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:9810:15
#9 0xd1972e in opj_jp2_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/jp2.c:1488:8
#10 0xcbcc66 in opj_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/openjpeg.c:412:10
#11 0xaff3ae in CJPX_Decoder::Init(unsigned char const*, unsigned int) pdfium_src/out/Debug/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764:11
#12 0xb02fe0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, CPDF_ColorSpace*) pdfium_src/out/Debug/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887:19
#13 0x93c77e in CPDF_DIBSource::LoadJpxBitmap() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634:36
#14 0x932fbf in CPDF_DIBSource::CreateDecoder() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593:5
#15 0x9382a9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311:13
#16 0x90e2b8 in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282:13
#17 0x90dcb8 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:36
#18 0x94aac8 in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502:19
#19 0x94bc99 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1563:22
#20 0x920391 in CPDF_ImageRenderer::StartLoadDIBSource() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:363:16
#21 0x919990 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:508:7
#22 0x8e8ad5 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297:28
#23 0x8f317a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057:30
#24 0x8f225a in CPDF_ProgressiveRenderer::Start(IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018:3
#25 0x51ccb7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) pdfium_src/out/Debug/../../fpdfsdk/fpdfview.cpp:885:26
#26 0x51b8c6 in FPDF_RenderPageBitmap pdfium_src/out/Debug/../../fpdfsdk/fpdfview.cpp:621:3
#27 0x4ef287 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&, std::string const&) pdfium_src/out/Debug/../../samples/pdfium_test.cc:552:5
#28 0x4f1178 in RenderPdf(std::string const&, char const*, unsigned long, Options const&, std::string const&) pdfium_src/out/Debug/../../samples/pdfium_test.cc:736:9
#29 0x4f1f8a in main pdfium_src/out/Debug/../../samples/pdfium_test.cc:878:5
#30 0x7fe9f10b9f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#31 0x41cdf5 in _start (pdfium_src/out/Debug/pdfium_test+0x41cdf5)
0x61900000917c is located 4 bytes to the left of 1028-byte region [0x619000009180,0x619000009584)
allocated by thread T0 here:
#0 0x4bad6c in __interceptor_malloc (pdfium_src/out/Debug/pdfium_test+0x4bad6c)
#1 0xd6e0e6 in opj_dwt_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:579:22
#2 0xd6dc24 in opj_dwt_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:482:9
#3 0xd6268e in opj_tcd_dwt_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/tcd.c:1637:31
#4 0xd61f1d in opj_tcd_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/tcd.c:1324:20
#5 0xcd7199 in opj_j2k_decode_tile pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:8069:15
#6 0xd0521d in opj_j2k_decode_tiles pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:9610:23
#7 0xccdbb1 in opj_j2k_exec pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:7290:41
#8 0xce0dee in opj_j2k_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/j2k.c:9810:15
#9 0xd1972e in opj_jp2_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/jp2.c:1488:8
#10 0xcbcc66 in opj_decode pdfium_src/out/Debug/../../third_party/libopenjpeg20/openjpeg.c:412:10
#11 0xaff3ae in CJPX_Decoder::Init(unsigned char const*, unsigned int) pdfium_src/out/Debug/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764:11
#12 0xb02fe0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, CPDF_ColorSpace*) pdfium_src/out/Debug/../../core/fxcodec/codec/fx_codec_jpx_opj.cpp:887:19
#13 0x93c77e in CPDF_DIBSource::LoadJpxBitmap() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:634:36
#14 0x932fbf in CPDF_DIBSource::CreateDecoder() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:593:5
#15 0x9382a9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:311:13
#16 0x90e2b8 in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:282:13
#17 0x90dcb8 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:36
#18 0x94aac8 in CPDF_ImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502:19
#19 0x94bc99 in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, CPDF_ImageLoaderHandle*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1563:22
#20 0x920391 in CPDF_ImageRenderer::StartLoadDIBSource() pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:363:16
#21 0x919990 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:508:7
#22 0x8e8ad5 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:297:28
#23 0x8f317a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1057:30
#24 0x8f225a in CPDF_ProgressiveRenderer::Start(IFX_Pause*) pdfium_src/out/Debug/../../core/fpdfapi/fpdf_render/fpdf_render.cpp:1018:3
#25 0x51ccb7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) pdfium_src/out/Debug/../../fpdfsdk/fpdfview.cpp:885:26
#26 0x51b8c6 in FPDF_RenderPageBitmap pdfium_src/out/Debug/../../fpdfsdk/fpdfview.cpp:621:3
#27 0x4ef287 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&, std::string const&) pdfium_src/out/Debug/../../samples/pdfium_test.cc:552:5
#28 0x4f1178 in RenderPdf(std::string const&, char const*, unsigned long, Options const&, std::string const&) pdfium_src/out/Debug/../../samples/pdfium_test.cc:736:9
#29 0x4f1f8a in main pdfium_src/out/Debug/../../samples/pdfium_test.cc:878:5
SUMMARY: AddressSanitizer: heap-buffer-overflow pdfium_src/out/Debug/../../third_party/libopenjpeg20/dwt.c:273:11 in opj_dwt_interleave_v
Shadow bytes around the buggy address:
0x0c327fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff9220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c327fff9230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22410==ABORTING
,
Aug 1 2016
Since the malformed JPEG2000 image was totally different from the original seed file, I cannot figure out the root cause of this vulnerability.
,
Aug 1 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5701228208324608
,
Aug 1 2016
This looks like the same bug as issue 632622.
,
Aug 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5701228208324608 Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address: 0x61900000aa7c Crash State: opj_dwt_decode opj_tcd_decode_tile opj_j2k_decode_tile Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=321780:322012 Minimized Testcase (1.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97sIAPTAkWNxnsmgmXlYB0hky8yu6B_UOj63UZqXuBeVD1e93rZ4gFuKt_HdUWBnPHHt-q7a22JoJFFl5LDfCbHjocULddtiBwg_4_nTRLj-HHwqr350as4h9LAi3Oxl7zaw1ATA-F8bvoe5StbZidykloFow?testcase_id=5701228208324608 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Nov 3 2016
,
Nov 3 2016
,
Nov 23 2016
Please ignore this comment, it's for indexing :) CVE-ID: CVE-2016-5157 Release Notes: https://googlechromereleases.blogspot.com/2016/08/stable-channel-update-for-desktop_31.html Fixed Version: Chrome 53.0.2785.89 Merged: Issue 632622 |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Aug 1 2016