Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 652038 Security: PDFium Signed Integer Overflow Bug
Starred by 2 users Reported by develac...@gmail.com, Oct 1 Back to list
Status: Fixed
Owner:
Closed: Oct 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
# VULNERABILITY DETAILS
There was an crash while rendering a pdf file when handling integer values in cpdf_page.cpp.

# VERSION
Chrome Version: [53.0.2785.116] + [stable]
Operating System: [Windows, 10, Pro]

# FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
Crash State: 
----------------------------------- crash result -----------------------------------
$ ./pdfium_test crash-integer.pdf 
Rendering PDF file crash-integer.pdf.
LoadXFA unsuccessful, continuing anyway.
../../third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_page.cpp:173:22: runtime error: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
    #0 0x1f5cb4c  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x1f5cb4c)
    #1 0x24414ef  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x24414ef)
    #2 0x1cf305b  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x1cf305b)
    #3 0x518c6d  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x518c6d)
    #4 0x51b8e4  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x51b8e4)
    #5 0x51d9bf  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x51d9bf)
    #6 0x7fce6ef5182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x434e34  (/home/devel/bbb/chromium/src/out.gn/pdfium-asan/pdfium_test+0x434e34)

SUMMARY: AddressSanitizer: undefined-behavior ../../third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_page.cpp:173:22 in 
terminating with uncaught exception of type std::length_error: vector
Aborted (core dumped)

------------------------------------- registers -------------------------------------
RAX: 0x0 
RBX: 0x7fffffffda40 --> 0x7fffffffdad0 --> 0xc7adc0c6225f8cd 
RCX: 0x7ffff652a418 (<__GI_raise+56>:	cmp    rax,0xfffffffffffff000)
RDX: 0x6 
RSI: 0xadb5 
RDI: 0xadb5 
RBP: 0x7fffffffdb50 --> 0x7fffffffdbf0 --> 0x7fffffffdc10 --> 0x7fffffffdc60 --> 0x7fffffffdc80 --> 0x7fffffffdcb0 (--> ...)
RSP: 0x7fffffffd908 --> 0x7ffff652c01a (<__GI_abort+362>:	mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff652a418 (<__GI_raise+56>:	cmp    rax,0xfffffffffffff000)
R8 : 0x7ffff68ba770 --> 0x0 
R9 : 0x7ffff7fce780 (0x00007ffff7fce780)
R10: 0x8 
R11: 0x202 
R12: 0xffffed172e0 --> 0x0 
R13: 0xc7adc0c6225f8cd 
R14: 0x7ffff7c53c40 ("terminating with %s exception of type %s: %s")
R15: 0x7ffff68b9700 --> 0x7ffff68b9540 --> 0xfbad2887 --> 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

------------------------------------- backtrace -------------------------------------
#0  0x00007ffff652a418 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff652c01a in __GI_abort () at abort.c:89
#2  0x00007ffff7b3d0ff in abort_message () at ../../buildtools/third_party/libc++abi/trunk/src/abort_message.cpp:78
#3  0x00007ffff7b3e0c2 in default_terminate_handler () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_default_handlers.cpp:63
#4  0x00007ffff7c26ba6 in std::__terminate(void (*)()) () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_handlers.cpp:68
#5  0x00007ffff7c2338d in failed_throw () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_exception.cpp:149
#6  __cxa_throw () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_exception.cpp:242
#7  0x00007ffff7a0fc2d in __throw_length_error () at ../../buildtools/third_party/libc++/trunk/include/vector:301
#8  0x000000000151fe17 in allocate () at ../../buildtools/third_party/libc++/trunk/include/vector:2471
#9  0x000000000244b7d6 in vector () at ../../buildtools/third_party/libc++/trunk/include/vector:2577
#10 0x0000000002448bda in FindTextlineFlowOrientation () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:511
#11 0x000000000244543a in ProcessObject () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:576
#12 0x00000000024421f2 in ParseTextPage () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:145
#13 0x0000000001cf3064 in FPDFText_LoadPage () at ../../third_party/pdfium/fpdfsdk/fpdftext.cpp:59
#14 0x0000000000518c6e in RenderPage () at ../../third_party/pdfium/samples/pdfium_test.cc:560
#15 0x000000000051b8e5 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at ../../third_party/pdfium/samples/pdfium_test.cc:764
#16 0x000000000051d9c0 in main () at ../../third_party/pdfium/samples/pdfium_test.cc:904
#17 0x00007ffff6515830 in __libc_start_main (main=0x51c180 <main()>, argc=0x2, argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538)
    at ../csu/libc-start.c:291
#18 0x0000000000434e35 in _start ()
 
crash-integer.pdf
118 KB Download
Cc: tsepez@chromium.org och...@chromium.org
Labels: Pri-1
Owner: dsinclair@chromium.org
dsinclair: I haven't been able to reproduce this because I don't have access to a Windows ASAN bug. Can you have a look? It might require inspection with a debugger.

Based on the stack trace it looks like it has the potential to be an out-of-bounds memory write.
Labels: Needs-Feedback
I think there are two issues in this bug. One is the overflow on cpdf_page.cpp:173 and the second is the crash from accessing invalid vector value at cpdf_textpage.cpp:511.

The backtrace is related to the vector issue, not the overflow issue.
Project Member Comment 4 by sheriffbot@chromium.org, Oct 4
Status: Assigned
Components: Internals>Plugins>PDF
Labels: Security_Impact-Stable M-54 Security_Severity-High
Labels: OS-All
I am unable to repro this crash on Windows 10.  develacker@ does the issue still repro for you? Are you exporting any ASAN_OPTIONS before running pdfium_test?
Yes I checked that it was able to repro this crash on latest Chrome version(53.0.2785.143) on Windows 10. Also I set ASAN_OPTIONS as "is_asan = true; is_syzyasan = true; is_ubsan = true; is_ubsan_security = true"
crash.png
6.1 KB View Download
Status: Started
Project Member Comment 11 by bugdroid1@chromium.org, Oct 12
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/798e18f5e5cfb672c7f3186f6358b84c5ff7785b

commit 798e18f5e5cfb672c7f3186f6358b84c5ff7785b
Author: dsinclair <dsinclair@chromium.org>
Date: Wed Oct 12 20:05:38 2016

Convert from int to float values.

The CPDF_Page::GetDisplayMatrix expects to set float values into the
|display_matrix| but all of the input values are currently int. It is possible
to overflow the int values, so this CL changes the variables to be int which
closer reflects what they're being used for.

BUG=chromium:652038

Review-Url: https://codereview.chromium.org/2412983002

[modify] https://crrev.com/798e18f5e5cfb672c7f3186f6358b84c5ff7785b/core/fpdfapi/page/cpdf_page.cpp

Status: Fixed
The undefined behaviour is fixed with comment 11 which is the original reported issue. I have not been able to repro the vector issue. 

If the vector issue persists for you, can you please open a new bug with repro steps?
Project Member Comment 13 by bugdroid1@chromium.org, Oct 12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7db20340321792730c532a8ff9723f1c3ff1e6df

commit 7db20340321792730c532a8ff9723f1c3ff1e6df
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Wed Oct 12 21:52:30 2016

Roll src/third_party/pdfium/ 8779fa857..52ef14e89 (2 commits).

https://pdfium.googlesource.com/pdfium.git/+log/8779fa8578cf..52ef14e8911f

$ git log 8779fa857..52ef14e89 --date=short --no-merges --format='%ad %ae %s'
2016-10-12 ethannicholas added SkSL to Skia build
2016-10-12 dsinclair Convert from int to float values.

BUG= 652038 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2417653002
Cr-Commit-Position: refs/heads/master@{#424873}

[modify] https://crrev.com/7db20340321792730c532a8ff9723f1c3ff1e6df/DEPS

Project Member Comment 14 by sheriffbot@chromium.org, Oct 13
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Issue 613030 has been merged into this issue.
Labels: reward-topanel
Project Member Comment 17 by sheriffbot@chromium.org, Oct 21
Labels: Merge-Request-55
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Cc: awhalley@chromium.org
+awhalley@ for M55 merge review
We've not yet confirmed reproducibility.  I've uploaded to clusterfuzz to see if it has any luck (https://cluster-fuzz.appspot.com/testcase?key=4658877997252608 & https://cluster-fuzz.appspot.com/testcase?key=5577096904835072)
Ok, please request a merge to M55 when you think it is ready and safe to merge. Thank you.
Labels: -Merge-Review-55 Merge-Request-55
Labels: -Merge-Request-55 Merge-Approved-55
Approving merge to M55 branch 2883. Please merge ASAP. Thank you.
Will merge.
Project Member Comment 25 by bugdroid1@chromium.org, Oct 27
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/3b3e316594617c9f382b550df881a7448df0afca

commit 3b3e316594617c9f382b550df881a7448df0afca
Author: Lei Zhang <thestig@google.com>
Date: Thu Oct 27 20:53:02 2016

Labels: -Hotlist-Merge-Review -Needs-Feedback -Merge-Approved-55 merge-merged-2883
Labels: -reward-topanel reward-NA
I'm afraid the panel declined to reward as on closer inspection they couldn't determine how the overflow could be exploited.  Sorry about that, though let us know if you have an idea to the contrary.
Labels: M-55
Labels: Release-0-M55
Labels: -Security_Severity-High Security_Severity-Low
Labels: CVE-2016-5223
Project Member Comment 32 by sheriffbot@chromium.org, Jan 19
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment