New issue
Advanced search Search tips

Issue 644628 link

Starred by 4 users
Status: Duplicate
Merged: issue 699491
Owner:
dsinclair@chromium.org
Closed: Sep 2017
Cc:
och...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

chrome pdfium pdf jpeg2000 remote DoS

Reported by riusks...@gmail.com, Sep 7 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
1. open poc.pdf in local or remote site with chrome or pdfium

What is the expected behavior?
chrome pdfium have a bug that can lead to crash when open the cratfed pdf file in remote site.

What went wrong?
==18858== Process terminating with default action of signal 8 (SIGFPE)
==18858==  Integer divide by zero at address 0x803BE3AB1
==18858==    at 0x4CA370: opj_pi_next_pcrl (pi.c:451)
==18858==    by 0x4C92F2: opj_pi_next (pi.c:1885)
==18858==    by 0x4D0F3B: opj_t2_decode_packets (t2.c:412)
==18858==    by 0x4D7216: opj_tcd_t2_decode (tcd.c:1558)
==18858==    by 0x4D70ED: opj_tcd_decode_tile (tcd.c:1297)
==18858==    by 0x4A8A58: opj_j2k_decode_tile (j2k.c:8069)
==18858==    by 0x4B4176: opj_j2k_decode_tiles (j2k.c:9610)
==18858==    by 0x4A65C4: opj_j2k_exec (j2k.c:7290)
==18858==    by 0x4AAB73: opj_j2k_decode (j2k.c:9810)
==18858==    by 0x4BA986: opj_jp2_decode (jp2.c:1488)
==18858==    by 0x4C4148: opj_decode (openjpeg.c:412)

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: n/a
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 22.0 r0
poc.pdf
12.3 KB Download

Comment 1 by wfh@chromium.org, Sep 7 2016

Cc: och...@chromium.org
Components: Internals>Plugins>PDF
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -OS-Mac OS-All Type-Bug
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)
I can repro on latest stable 53.0.2785.89

3:064> k
 # Child-SP          RetAddr           Call Site
00 000000a4`4a0fb7a0 00007ffe`9bbcd1f2 chrome_child!opj_pi_next_pcrl+0x268 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\pi.c @ 451]
01 (Inline Function) --------`-------- chrome_child!opj_pi_next+0x36 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\pi.c @ 1885]
02 000000a4`4a0fb7e0 00007ffe`9bbc8cc1 chrome_child!opj_t2_decode_packets+0xe2 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\t2.c @ 412]
03 000000a4`4a0fb880 00007ffe`9bbc8584 chrome_child!opj_tcd_t2_decode+0x79 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\tcd.c @ 1591]
04 000000a4`4a0fb8f0 00007ffe`9bbc2694 chrome_child!opj_tcd_decode_tile+0x48 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\tcd.c @ 1330]
05 000000a4`4a0fb930 00007ffe`9bbc2865 chrome_child!opj_j2k_decode_tile+0x88 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 8073]
06 000000a4`4a0fb990 00007ffe`9bbbf977 chrome_child!opj_j2k_decode_tiles+0xc1 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 9614]
07 000000a4`4a0fba50 00007ffe`9bbc22b0 chrome_child!opj_jp2_exec+0x43 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c @ 2247]
08 000000a4`4a0fba90 00007ffe`9bbbf65d chrome_child!opj_j2k_decode+0x78 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\j2k.c @ 9814]
09 000000a4`4a0fbac0 00007ffe`9bb93112 chrome_child!opj_jp2_decode+0x31 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\jp2.c @ 1488]
0a (Inline Function) --------`-------- chrome_child!opj_decode+0x20 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\third_party\libopenjpeg20\openjpeg.c @ 412]
0b 000000a4`4a0fbaf0 00007ffe`9bb92ac0 chrome_child!CJPX_Decoder::Init+0x296 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 764]
0c 000000a4`4a0fdbb0 00007ffe`9bb72bac chrome_child!CCodec_JpxModule::CreateDecoder+0x50 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fxcodec\codec\fx_codec_jpx_opj.cpp @ 887]
0d 000000a4`4a0fdbe0 00007ffe`9bb71094 chrome_child!CPDF_DIBSource::LoadJpxBitmap+0x7c [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 634]
0e 000000a4`4a0fdc60 00007ffe`9bb73615 chrome_child!CPDF_DIBSource::CreateDecoder+0x264 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 594]
0f 000000a4`4a0fdce0 00007ffe`9bb6a164 chrome_child!CPDF_DIBSource::StartLoadDIBSource+0x1fd [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 311]
10 000000a4`4a0fdd40 00007ffe`9bb6a26f chrome_child!CPDF_ImageCacheEntry::StartGetCachedBitmap+0xa4 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 284]
11 000000a4`4a0fdda0 00007ffe`9bb73341 chrome_child!CPDF_PageRenderCache::StartGetCachedBitmap+0xc7 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_cache.cpp @ 131]
12 000000a4`4a0fde10 00007ffe`9bb64b2f chrome_child!CPDF_ImageLoaderHandle::Start+0x69 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_loadimage.cpp @ 1502]
13 000000a4`4a0fde60 00007ffe`9bb644a8 chrome_child!CPDF_ImageRenderer::StartLoadDIBSource+0xa7 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 356]
14 000000a4`4a0fdee0 00007ffe`9bb405e2 chrome_child!CPDF_ImageRenderer::Start+0x8c [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render_image.cpp @ 501]
15 000000a4`4a0fdf10 00007ffe`9bb403e6 chrome_child!CPDF_RenderStatus::ContinueSingleObject+0xe6 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 284]
16 000000a4`4a0fdf50 00007ffe`9bb09966 chrome_child!CPDF_ProgressiveRenderer::Continue+0x256 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\fpdf_render\fpdf_render.cpp @ 1026]
17 000000a4`4a0fe060 00007ffe`9bb11827 chrome_child!FPDF_RenderPage_Retail+0x286 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 886]
18 000000a4`4a0fe100 00007ffe`9ae532bb chrome_child!FPDF_RenderPageBitmap_Start+0x14b [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdf_progressive.cpp @ 54]

we don't consider DOS to be security bugs but this is certainly a functional bug in openjpeg, should this be reported upstream?
Project Member

Comment 2 by ClusterFuzz, Sep 7 2016 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5700362172628992

Comment 4 by wfh@chromium.org, Sep 19 2016 

 Issue 648111  has been merged into this issue.

Comment 5 by tsepez@chromium.org, Oct 13 2016

Owner: dsinclair@chromium.org

Comment 6 by ajha@chromium.org, Oct 17 2016 

Issue 656481 has been merged into this issue.
Project Member

Comment 7 by ClusterFuzz, Sep 13 2017 

ClusterFuzz has detected this issue as fixed in range 456450:456499.

Detailed report: https://clusterfuzz.com/testcase?key=5700362172628992

Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  opj_pi_next
  opj_t2_decode_packets
  opj_tcd_decode_tile
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=350971:350997
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=456450:456499

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5700362172628992

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by thestig@chromium.org, Sep 13 2017

Mergedinto: 699491
Status: Duplicate (was: Assigned)

Sign in to add a comment