New issue
Advanced search Search tips

Issue 651304 link

Starred by 1 user
Status: Fixed
Owner:
weili@chromium.org
Closed: Oct 2016
Cc:
kenrb@chromium.org
tsepez@chromium.org
dsinclair@chromium.org
och...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug



Sign in to add a comment

Security: PDFium Stack Overflow bugs

Reported by develac...@gmail.com, Sep 29 2016 
# VULNERABILITY DETAILS
Crash was created when parsing pdf formats in cpdf_dictionary.cpp
More specific 

# VERSION
Chrome Version: [53.0.2785.116] + [stable]
Operating System: [Mac OS X, Sierra, 10.12]

--------------------------------------------- Registers ---------------------------------------------
RAX: 0x1cc7a41a265b8000 
RBX: 0xdef3c0 (<TestLoader::GetBlock(void*, unsigned long, unsigned char*, unsigned long)>:	push   rbp)
RCX: 0x1cc7a41a265b8000 
RDX: 0x7ffff771fc70 --> 0x0 
RSI: 0x7fffff7ff3b0 --> 0x1e30780 --> 0x0 
RDI: 0x7fffff7ff3d8 --> 0x1e30780 --> 0x0 
RBP: 0x7fffff7ff380 --> 0x7fffff7ff410 --> 0x7fffff7ff440 --> 0x7fffff7ff460 --> 0x7fffff7ff4c0 --> 0x7fffff7ff620 (--> ...)
RSP: 0x7fffff7feef0 
RIP: 0xe5bfb8 (<__gnu_debug::operator!=<std::_Rb_tree_const_iterator<std::pair<CFX_ByteString const, CPDF_Object*> >, std::__debug::map<CFX_ByteString, CPDF_Object*, std::less<CFX_ByteString>, std::allocator<std::pair<CFX_ByteString const, CPDF_Object*> > > >(__gnu_debug::_Safe_iterator<std::_Rb_tree_const_iterator<std::pair<CFX_ByteString const, CPDF_Object*> >, std::__debug::map<CFX_ByteString, CPDF_Object*, std::less<CFX_ByteString>, std::allocator<std::pair<CFX_ByteString const, CPDF_Object*> > > > const&, __gnu_debug::_Safe_iterator<std::_Rb_tree_const_iterator<std::pair<CFX_ByteString const, CPDF_Object*> >, std::__debug::map<CFX_ByteString, CPDF_Object*, std::less<CFX_ByteString>, std::allocator<std::pair<CFX_ByteString const, CPDF_Object*> > > > const&)+24>:	mov    QWORD PTR [rbp-0x470],rdi)
R8 : 0x0 
R9 : 0x7fffff7ff040 --> 0x1 
R10: 0x384d470 --> 0x3046 ('F0')
R11: 0x7ffff6a2e730 --> 0xfffda400fffda12f 
R12: 0x40f950 (<ExampleDocMail(_IPDF_JsPlatform*, void*, int, int, unsigned short const*, unsigned short const*, unsigned short const*, unsigned short const*, unsigned short const*)>:	push   rbp)
R13: 0x40f920 (<ExampleDocGotoPage(_IPDF_JsPlatform*, int)>:	push   rbp)
R14: 0x18 
R15: 0x7fffffffe010 --> 0x105a
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)

--------------------------------------------- Stack Trace ---------------------------------------------
#0  0x0000000000e5bfb8 in __gnu_debug::operator!=<std::_Rb_tree_const_iterator<std::pair<CFX_ByteString const, CPDF_Object*> >, std::__debug::map<CFX_ByteString, CPDF_Object*, std::less<CFX_ByteString>, std::allocator<std::pair<CFX_ByteString const, CPDF_Object*> > > > (__lhs=<error reading variable: Cannot access memory at address 0x7fffff7fef10>, 
    __rhs=<error reading variable: Cannot access memory at address 0x7fffff7fef08>)
    at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/debug/safe_iterator.h:514
#1  0x0000000000e5ad2e in CPDF_Dictionary::GetObjectFor (this=0x1e30740, key=...) at ../../core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp:76
#2  0x0000000000e5adad in CPDF_Dictionary::GetDirectObjectFor (this=0x1e30740, key=...) at ../../core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp:81
#3  0x0000000000e5b1bd in CPDF_Dictionary::GetArrayFor (this=0x1e30740, key=...) at ../../core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp:137
#4  0x0000000000e5b2b5 in CPDF_Dictionary::GetMatrixFor (this=0x1e30740, key=...) at ../../core/fpdfapi/fpdf_parser/cpdf_dictionary.cpp:154
#5  0x0000000000e44bd1 in CPDF_ContentParser::Start (this=0x384d850, pForm=0x384d4f0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x384d4a0, level=0x1)
    at ../../core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:682
#6  0x0000000000ee7ece in CPDF_Form::StartParse (this=0x384d4f0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x384d4a0, level=0x1) at ../../core/fpdfapi/fpdf_page/cpdf_form.cpp:42
#7  0x0000000000ee7f27 in CPDF_Form::ParseContent (this=0x384d4f0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x384d4a0, level=0x1) at ../../core/fpdfapi/fpdf_page/cpdf_form.cpp:50
#8  0x0000000000ec9d7f in CPDF_Type3Font::LoadChar (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:114
#9  0x0000000000eca211 in CPDF_Type3Font::GetCharBBox (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:154
#10 0x0000000000ec34e6 in CPDF_Font::CheckFontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_font.cpp:246
#11 0x0000000000ec9a75 in CPDF_Type3Font::CheckType3FontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:87
#12 0x0000000000f0016a in CPDF_StreamContentParser::FindFont (this=0x384bbe0, name=...) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1157
#13 0x0000000000efc6fa in CPDF_StreamContentParser::Handle_SetFont (this=0x384bbe0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1126
#14 0x0000000000efdf3d in CPDF_StreamContentParser::OnOperator (this=0x384bbe0, op=0x7fffff7ffb48 "Tf") at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:551
#15 0x0000000000f00aab in CPDF_StreamContentParser::Parse (this=0x384bbe0, 
    pData=0x1e30810 "640 0 0 -740 640 40 d1\n640 -150 m\n640 -660 l\n520 -660 l\n320 -610 l\n390 -655 l\n390 -710 l\n360 -740 l\n300 -740 l\n260 -700 l\n260 -670 l\n280 -650 l\n300 -650 l\n290 -670 l\n30", dwSize=0x448, max_cost=0x64) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1513
#16 0x0000000000e45674 in CPDF_ContentParser::Continue (this=0x384bb50, pPause=0x0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:782
#17 0x0000000000e2a2ad in CPDF_PageObjectHolder::ContinueParse (this=0x384b7f0, pPause=0x0) at ../../core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:30
#18 0x0000000000ee7f39 in CPDF_Form::ParseContent (this=0x384b7f0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x384b7a0, level=0x1) at ../../core/fpdfapi/fpdf_page/cpdf_form.cpp:51
#19 0x0000000000ec9d7f in CPDF_Type3Font::LoadChar (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:114
#20 0x0000000000eca211 in CPDF_Type3Font::GetCharBBox (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:154
#21 0x0000000000ec34e6 in CPDF_Font::CheckFontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_font.cpp:246
#22 0x0000000000ec9a75 in CPDF_Type3Font::CheckType3FontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:87
#23 0x0000000000f0016a in CPDF_StreamContentParser::FindFont (this=0x3849ee0, name=...) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1157
#24 0x0000000000efc6fa in CPDF_StreamContentParser::Handle_SetFont (this=0x3849ee0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1126
#25 0x0000000000efdf3d in CPDF_StreamContentParser::OnOperator (this=0x3849ee0, op=0x7fffff800428 "Tf") at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:551
#26 0x0000000000f00aab in CPDF_StreamContentParser::Parse (this=0x3849ee0, 
    pData=0x1e30810 "640 0 0 -740 640 40 d1\n640 -150 m\n640 -660 l\n520 -660 l\n320 -610 l\n390 -655 l\n390 -710 l\n360 -740 l\n300 -740 l\n260 -700 l\n260 -670 l\n280 -650 l\n300 -650 l\n290 -670 l\n30", dwSize=0x448, max_cost=0x64) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1513
#27 0x0000000000e45674 in CPDF_ContentParser::Continue (this=0x3849e50, pPause=0x0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:782
#28 0x0000000000e2a2ad in CPDF_PageObjectHolder::ContinueParse (this=0x3849af0, pPause=0x0) at ../../core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:30
#29 0x0000000000ee7f39 in CPDF_Form::ParseContent (this=0x3849af0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x3849aa0, level=0x1) at ../../core/fpdfapi/fpdf_page/cpdf_form.cpp:51
#30 0x0000000000ec9d7f in CPDF_Type3Font::LoadChar (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:114
#31 0x0000000000eca211 in CPDF_Type3Font::GetCharBBox (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:154
#32 0x0000000000ec34e6 in CPDF_Font::CheckFontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_font.cpp:246
#33 0x0000000000ec9a75 in CPDF_Type3Font::CheckType3FontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:87
#34 0x0000000000f0016a in CPDF_StreamContentParser::FindFont (this=0x38481e0, name=...) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1157
#35 0x0000000000efc6fa in CPDF_StreamContentParser::Handle_SetFont (this=0x38481e0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1126
#36 0x0000000000efdf3d in CPDF_StreamContentParser::OnOperator (this=0x38481e0, op=0x7fffff800d08 "Tf") at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:551
#37 0x0000000000f00aab in CPDF_StreamContentParser::Parse (this=0x38481e0, 
    pData=0x1e30810 "640 0 0 -740 640 40 d1\n640 -150 m\n640 -660 l\n520 -660 l\n320 -610 l\n390 -655 l\n390 -710 l\n360 -740 l\n300 -740 l\n260 -700 l\n260 -670 l\n280 -650 l\n300 -650 l\n290 -670 l\n30", dwSize=0x448, max_cost=0x64) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1513
#38 0x0000000000e45674 in CPDF_ContentParser::Continue (this=0x3848150, pPause=0x0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:782
#39 0x0000000000e2a2ad in CPDF_PageObjectHolder::ContinueParse (this=0x3847df0, pPause=0x0) at ../../core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:30
#40 0x0000000000ee7f39 in CPDF_Form::ParseContent (this=0x3847df0, pGraphicStates=0x0, pParentMatrix=0x0, pType3Char=0x3847da0, level=0x1) at ../../core/fpdfapi/fpdf_page/cpdf_form.cpp:51
#41 0x0000000000ec9d7f in CPDF_Type3Font::LoadChar (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:114
#42 0x0000000000eca211 in CPDF_Type3Font::GetCharBBox (this=0x1e2ddb0, charcode=0x1, level=0x0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:154
#43 0x0000000000ec34e6 in CPDF_Font::CheckFontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_font.cpp:246
#44 0x0000000000ec9a75 in CPDF_Type3Font::CheckType3FontMetrics (this=0x1e2ddb0) at ../../core/fpdfapi/fpdf_font/cpdf_type3font.cpp:87
#45 0x0000000000f0016a in CPDF_StreamContentParser::FindFont (this=0x38464e0, name=...) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1157
#46 0x0000000000efc6fa in CPDF_StreamContentParser::Handle_SetFont (this=0x38464e0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1126
#47 0x0000000000efdf3d in CPDF_StreamContentParser::OnOperator (this=0x38464e0, op=0x7fffff8015e8 "Tf") at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:551
#48 0x0000000000f00aab in CPDF_StreamContentParser::Parse (this=0x38464e0, 
    pData=0x1e30810 "640 0 0 -740 640 40 d1\n640 -150 m\n640 -660 l\n520 -660 l\n320 -610 l\n390 -655 l\n390 -710 l\n360 -740 l\n300 -740 l\n260 -700 l\n260 -670 l\n280 -650 l\n300 -650 l\n290 -670 l\n30", dwSize=0x448, max_cost=0x64) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1513
#49 0x0000000000e45674 in CPDF_ContentParser::Continue (this=0x3846450, pPause=0x0) at ../../core/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:782
#50 0x0000000000e2a2ad in CPDF_PageObjectHolder::ContinueParse (this=0x38460f0, pPause=0x0) at ../../core/fpdfapi/fpdf_page/cpdf_pageobjectholder.cpp:30
crash.pdf
4.1 KB Download

Comment 1 by develac...@gmail.com, Sep 29 2016 

More specific analysis information would be added.

Comment 2 by kenrb@chromium.org, Sep 29 2016

Cc: tsepez@chromium.org och...@chromium.org kenrb@chromium.org
Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Security_Impact-Stable OS-All Pri-1
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report.

I have confirmed the crash on Mac and Linux, although I haven't looked into the cause. The crash stack in the report above looks like an out of bounds read, so I am flagging it accordingly. We should change flags later if it looks different after investigation.

Comment 3 by dsinclair@chromium.org, Sep 29 2016

Cc: dsinclair@chromium.org
Owner: weili@chromium.org
weili@ you were looking at some of these previously, is this related? If not, feel free to assign back to me and I can take a look.
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 30 2016

Labels: M-54

Comment 5 by weili@chromium.org, Sep 30 2016 

 develacker@, can I include your attached PDF in our test files?

Comment 6 by develac...@gmail.com, Oct 1 2016 

Sure!! :)
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 3 2016 

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/d61f958385be285f3f3897ef3a3f010048608f1c

commit d61f958385be285f3f3897ef3a3f010048608f1c
Author: weili <weili@chromium.org>
Date: Mon Oct 03 19:10:55 2016

Detect resursive loading of type3 font char to avoid infinite loop

The original way of detecting loops was passing a level parameter
through various functions. This missed some cases which also lead
to load type3 font char, for example, FindFont() may call
CheckType3FontMetrics() which may eventually lead to LoadChar().

The new way is to store the char loading depth, and abort when the depth
exceeds the max.

BUG= chromium:651304 

Review-Url: https://codereview.chromium.org/2384853002

[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_cidfont.cpp
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_cidfont.h
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_font.h
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_simplefont.cpp
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_simplefont.h
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_type3font.cpp
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_font/cpdf_type3font.h
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_page/cpdf_textobject.cpp
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_page/cpdf_textobject.h
[modify] https://crrev.com/d61f958385be285f3f3897ef3a3f010048608f1c/core/fpdfapi/fpdf_page/fpdf_page_parser.cpp
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 3 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0d8a3fbc17e6f16362732644468dff3d9a755ce

commit a0d8a3fbc17e6f16362732644468dff3d9a755ce
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Mon Oct 03 20:59:24 2016

Roll src/third_party/pdfium/ e5393582a..d61f95838 (1 commit).

https://pdfium.googlesource.com/pdfium.git/+log/e5393582a7f5..d61f958385be

$ git log e5393582a..d61f95838 --date=short --no-merges --format='%ad %ae %s'
2016-10-03 weili Detect resursive loading of type3 font char to avoid infinite loop

BUG= 651304 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2390823002
Cr-Commit-Position: refs/heads/master@{#422524}

[modify] https://crrev.com/a0d8a3fbc17e6f16362732644468dff3d9a755ce/DEPS

Comment 9 by weili@chromium.org, Oct 3 2016

Status: Fixed (was: Assigned)
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 4 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by awhalley@chromium.org, Oct 10 2016

Labels: -M-54 M-55

Comment 12 by awhalley@chromium.org, Oct 12 2016

Labels: reward-topanel

Comment 13 by awhalley@chromium.org, Oct 12 2016

Labels: -Type-Bug-Security -reward-topanel -Security_Impact-Stable -Security_Severity-Medium Type-Bug

Comment 14 by develac...@gmail.com, Dec 5 2016 

Is there any further notifications??
Project Member

Comment 15 by sheriffbot@chromium.org, Jan 10 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment