New issue
Advanced search Search tips

Issue 648111 link

Starred by 1 user
Status: Duplicate
Merged: issue 644628
Owner:
och...@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

PDFium->Openjpeg division-by-zero cause DOS

Reported by soulchen...@gmail.com, Sep 19 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36

Steps to reproduce the problem:
1. open chrome
2. open the pdf attachment
3. the chrome will crash 

What is the expected behavior?

What went wrong?
the call stack:
#0  opj_pi_next_cprl (pi=0x2507b40) at ../third_party/libopenjpeg20/pi.c:530
#1  opj_pi_next (pi=<optimized out>) at ../third_party/libopenjpeg20/pi.c:1887
#2  0x00000000018f277c in opj_t2_decode_packets (p_t2=<optimized out>, p_tile_no=<optimized out>, p_tile=<optimized out>, 
    p_src=<optimized out>, p_data_read=<optimized out>, p_max_len=<optimized out>, p_cstr_index=<optimized out>, 
    p_manager=<optimized out>) at ../third_party/libopenjpeg20/t2.c:412
#3  0x00000000018dde8b in opj_tcd_t2_decode (p_tcd=0x2463e00, p_src_data=<optimized out>, p_data_read=<optimized out>, 
    p_max_src_size=<optimized out>, p_cstr_index=<optimized out>, p_manager=<optimized out>) at ../third_party/libopenjpeg20/tcd.c:1591
#4  opj_tcd_decode_tile (p_tcd=0x2463e00, p_src=0x24ffd70 "0", p_max_length=<optimized out>, p_tile_no=48, 
    p_cstr_index=<optimized out>, p_manager=0x23f2988) at ../third_party/libopenjpeg20/tcd.c:1330
#5  0x00000000018bb176 in opj_j2k_decode_tile (p_j2k=<optimized out>, p_tile_index=48, p_data=<optimized out>, 
    p_data_size=<optimized out>, p_stream=<optimized out>, p_manager=<optimized out>) at ../third_party/libopenjpeg20/j2k.c:8073
#6  0x00000000018c98b0 in opj_j2k_decode_tiles (p_j2k=<optimized out>, p_stream=<optimized out>, p_manager=<optimized out>)
    at ../third_party/libopenjpeg20/j2k.c:9614
#7  0x00000000018be8f1 in opj_j2k_exec (p_j2k=0x23f29e0, p_procedure_list=<optimized out>, p_stream=0x23f28b0, p_manager=0x23f2988)
    at ../third_party/libopenjpeg20/j2k.c:7290
#8  opj_j2k_decode (p_j2k=<optimized out>, p_stream=<optimized out>, p_image=<optimized out>, p_manager=<optimized out>)
    at ../third_party/libopenjpeg20/j2k.c:9814
#9  0x00000000018b65e3 in opj_decode (p_codec=0x23f2930, p_stream=0x23f28b0, p_image=0x2464220)
    at ../third_party/libopenjpeg20/openjpeg.c:412
#10 0x000000000180e61c in CJPX_Decoder::Init (this=0x23f2870, src_data=<optimized out>, src_size=216)
    at ../core/fxcodec/codec/fx_codec_jpx_opj.cpp:764
#11 0x000000000180f650 in CCodec_JpxModule::CreateDecoder (this=<optimized out>, src_buf=0xf <Address 0xf out of bounds>, src_size=0, 
    cs=0x0) at ../core/fxcodec/codec/fx_codec_jpx_opj.cpp:890
#12 0x000000000171e674 in CPDF_DIBSource::LoadJpxBitmap (this=0x23f2710) at ../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:626
#13 0x0000000001719fcd in CPDF_DIBSource::CreateDecoder (this=0x23f2710) at ../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:585
#14 0x000000000171c2cc in CPDF_DIBSource::StartLoadDIBSource (this=0x23f2710, pDoc=<optimized out>, pStream=<optimized out>, 
    bHasMask=1, pFormResources=<optimized out>, pPageResources=<optimized out>, bStdCS=<optimized out>, GroupFamily=<optimized out>, 
    bLoadMask=<optimized out>) at ../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:305
#15 0x000000000170ed41 in StartGetCachedBitmap (this=0x23f0030, pFormResources=<optimized out>, pPageResources=<optimized out>, 
    bStdCS=0, GroupFamily=0, bLoadMask=0, pRenderStatus=<optimized out>, downsampleWidth=<optimized out>, 
    downsampleHeight=<optimized out>) at ../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:281
#16 CPDF_PageRenderCache::StartGetCachedBitmap (this=<optimized out>, pStream=<optimized out>, bStdCS=<optimized out>, 
    GroupFamily=<optimized out>, bLoadMask=<optimized out>, pRenderStatus=<optimized out>, downsampleWidth=<optimized out>, 
    downsampleHeight=<optimized out>) at ../core/fpdfapi/fpdf_render/fpdf_render_cache.cpp:130
#17 0x0000000001725228 in CPDF_ImageLoaderHandle::Start (this=0x23f26e0, pImageLoader=<optimized out>, pImage=<optimized out>, 
    pCache=0x23ef990, bStdCS=0, GroupFamily=<optimized out>, bLoadMask=<optimized out>, pRenderStatus=<optimized out>, 
    nDownsampleWidth=<optimized out>, nDownsampleHeight=1) at ../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1494
#18 0x00000000017256dc in CPDF_ImageLoader::Start (this=0x23f2670, pImage=0x23f1e00, pCache=<optimized out>, 
    pLoadHandle=<optimized out>, bStdCS=<optimized out>, GroupFamily=<optimized out>, bLoadMask=<optimized out>, 
    pRenderStatus=<optimized out>, nDownsampleWidth=<optimized out>, nDownsampleHeight=<optimized out>)
    at ../core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1545
#19 0x0000000001713844 in CPDF_ImageRenderer::StartLoadDIBSource (this=0x23f2630)
    at ../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:380
#20 0x0000000001711375 in CPDF_ImageRenderer::Start (this=0x23f2630, pStatus=<optimized out>, pObj=<optimized out>, 
    pObj2Device=<optimized out>, bStdCS=<optimized out>, blendType=<optimized out>)
    at ../core/fpdfapi/fpdf_render/fpdf_render_image.cpp:526
---Type <return> to continue, or q <return> to quit---
#21 0x0000000001705b29 in CPDF_RenderStatus::ContinueSingleObject (this=0x23f2470, pObj=0x23f1e00, pObj2Device=<optimized out>, 
    pPause=0x0) at ../core/fpdfapi/fpdf_render/fpdf_render.cpp:301
#22 0x000000000170b235 in CPDF_ProgressiveRenderer::Continue (this=<optimized out>, pPause=<optimized out>)
    at ../core/fpdfapi/fpdf_render/fpdf_render.cpp:1040
#23 0x000000000170a9a6 in CPDF_ProgressiveRenderer::Start (this=0x23f2400, pPause=0x0)
    at ../core/fpdfapi/fpdf_render/fpdf_render.cpp:1001
#24 0x000000000160513c in FPDF_RenderPage_Retail (pContext=0x23efd70, page=<optimized out>, start_x=<optimized out>, 
    start_y=<optimized out>, size_x=<optimized out>, size_y=<optimized out>, rotate=<optimized out>, flags=<optimized out>, 
    bNeedToRestore=1, pause=0x0) at ../fpdfsdk/fpdfview.cpp:905
#25 0x000000000160494f in FPDF_RenderPageBitmap (bitmap=0x23f2180, page=0x23ef640, start_x=<optimized out>, start_y=<optimized out>, 
    size_x=<optimized out>, size_y=<optimized out>, rotate=<optimized out>, flags=<optimized out>) at ../fpdfsdk/fpdfview.cpp:641
#26 0x000000000040f4cf in RenderPage (name=..., doc=<optimized out>, form=<optimized out>, page_index=<optimized out>, options=..., 
    events=...) at ../samples/pdfium_test.cc:576
#27 0x0000000000410805 in RenderPdf (name=..., pBuf=<optimized out>, len=<optimized out>, options=..., events=...)
    at ../samples/pdfium_test.cc:764
#28 0x000000000041152a in main (argc=<optimized out>, argv=<optimized out>) at ../samples/pdfium_test.cc:904

the source code:
if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy)))))

comp->dy is zero ,and will cause division-by-zero.

Did this work before? N/A 

Chrome version: 53.0.2785.113  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 23.0 r0
crash_5.pdf
464 bytes Download

Comment 1 by elawrence@chromium.org, Sep 19 2016

Components: Internals>Plugins>PDF

Comment 2 by thestig@chromium.org, Sep 19 2016

Owner: och...@chromium.org

Comment 3 by penny...@chromium.org, Sep 19 2016

Labels: Security_Severity-Medium Security_Impact-Stable
Status: Assigned (was: Unconfirmed)
Feel free to adjust labels and re-assign as appropriate!

Comment 4 by wfh@chromium.org, Sep 19 2016

Mergedinto: 644628
Status: Duplicate (was: Assigned)
looks like  issue 644628 . It's a bug not a security bug.
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 13 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment