Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment
Security: PDFium Signed Integer Overflow Bug
Reported by, Oct 1 2016 Back to list
There was an crash while rendering a pdf file when handling integer values in cpdf_page.cpp.

Chrome Version: [53.0.2785.116] + [stable]
Operating System: [Windows, 10, Pro]

Type of crash: [tab]
Crash State: 
----------------------------------- crash result -----------------------------------
$ ./pdfium_test crash-integer.pdf 
Rendering PDF file crash-integer.pdf.
LoadXFA unsuccessful, continuing anyway.
../../third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_page.cpp:173:22: runtime error: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
    #0 0x1f5cb4c  (/home/devel/bbb/chromium/src/
    #1 0x24414ef  (/home/devel/bbb/chromium/src/
    #2 0x1cf305b  (/home/devel/bbb/chromium/src/
    #3 0x518c6d  (/home/devel/bbb/chromium/src/
    #4 0x51b8e4  (/home/devel/bbb/chromium/src/
    #5 0x51d9bf  (/home/devel/bbb/chromium/src/
    #6 0x7fce6ef5182f  (/lib/x86_64-linux-gnu/
    #7 0x434e34  (/home/devel/bbb/chromium/src/

SUMMARY: AddressSanitizer: undefined-behavior ../../third_party/pdfium/core/fpdfapi/fpdf_page/cpdf_page.cpp:173:22 in 
terminating with uncaught exception of type std::length_error: vector
Aborted (core dumped)

------------------------------------- registers -------------------------------------
RAX: 0x0 
RBX: 0x7fffffffda40 --> 0x7fffffffdad0 --> 0xc7adc0c6225f8cd 
RCX: 0x7ffff652a418 (<__GI_raise+56>:	cmp    rax,0xfffffffffffff000)
RDX: 0x6 
RSI: 0xadb5 
RDI: 0xadb5 
RBP: 0x7fffffffdb50 --> 0x7fffffffdbf0 --> 0x7fffffffdc10 --> 0x7fffffffdc60 --> 0x7fffffffdc80 --> 0x7fffffffdcb0 (--> ...)
RSP: 0x7fffffffd908 --> 0x7ffff652c01a (<__GI_abort+362>:	mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff652a418 (<__GI_raise+56>:	cmp    rax,0xfffffffffffff000)
R8 : 0x7ffff68ba770 --> 0x0 
R9 : 0x7ffff7fce780 (0x00007ffff7fce780)
R10: 0x8 
R11: 0x202 
R12: 0xffffed172e0 --> 0x0 
R13: 0xc7adc0c6225f8cd 
R14: 0x7ffff7c53c40 ("terminating with %s exception of type %s: %s")
R15: 0x7ffff68b9700 --> 0x7ffff68b9540 --> 0xfbad2887 --> 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

------------------------------------- backtrace -------------------------------------
#0  0x00007ffff652a418 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff652c01a in __GI_abort () at abort.c:89
#2  0x00007ffff7b3d0ff in abort_message () at ../../buildtools/third_party/libc++abi/trunk/src/abort_message.cpp:78
#3  0x00007ffff7b3e0c2 in default_terminate_handler () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_default_handlers.cpp:63
#4  0x00007ffff7c26ba6 in std::__terminate(void (*)()) () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_handlers.cpp:68
#5  0x00007ffff7c2338d in failed_throw () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_exception.cpp:149
#6  __cxa_throw () at ../../buildtools/third_party/libc++abi/trunk/src/cxa_exception.cpp:242
#7  0x00007ffff7a0fc2d in __throw_length_error () at ../../buildtools/third_party/libc++/trunk/include/vector:301
#8  0x000000000151fe17 in allocate () at ../../buildtools/third_party/libc++/trunk/include/vector:2471
#9  0x000000000244b7d6 in vector () at ../../buildtools/third_party/libc++/trunk/include/vector:2577
#10 0x0000000002448bda in FindTextlineFlowOrientation () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:511
#11 0x000000000244543a in ProcessObject () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:576
#12 0x00000000024421f2 in ParseTextPage () at ../../third_party/pdfium/core/fpdftext/cpdf_textpage.cpp:145
#13 0x0000000001cf3064 in FPDFText_LoadPage () at ../../third_party/pdfium/fpdfsdk/fpdftext.cpp:59
#14 0x0000000000518c6e in RenderPage () at ../../third_party/pdfium/samples/
#15 0x000000000051b8e5 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) () at ../../third_party/pdfium/samples/
#16 0x000000000051d9c0 in main () at ../../third_party/pdfium/samples/
#17 0x00007ffff6515830 in __libc_start_main (main=0x51c180 <main()>, argc=0x2, argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538)
    at ../csu/libc-start.c:291
#18 0x0000000000434e35 in _start ()
118 KB Download
Comment 1 by, Oct 3 2016
Labels: Pri-1
dsinclair: I haven't been able to reproduce this because I don't have access to a Windows ASAN bug. Can you have a look? It might require inspection with a debugger.

Based on the stack trace it looks like it has the potential to be an out-of-bounds memory write.
Comment 2 by, Oct 3 2016
Labels: Needs-Feedback
I think there are two issues in this bug. One is the overflow on cpdf_page.cpp:173 and the second is the crash from accessing invalid vector value at cpdf_textpage.cpp:511.

The backtrace is related to the vector issue, not the overflow issue.
Project Member Comment 4 by, Oct 4 2016
Status: Assigned
Comment 5 by, Oct 10 2016
Components: Internals>Plugins>PDF
Labels: Security_Impact-Stable M-54 Security_Severity-High
Comment 6 by, Oct 10 2016
Labels: OS-All
I am unable to repro this crash on Windows 10.  develacker@ does the issue still repro for you? Are you exporting any ASAN_OPTIONS before running pdfium_test?
Yes I checked that it was able to repro this crash on latest Chrome version(53.0.2785.143) on Windows 10. Also I set ASAN_OPTIONS as "is_asan = true; is_syzyasan = true; is_ubsan = true; is_ubsan_security = true"
6.1 KB View Download
Status: Started
Project Member Comment 11 by, Oct 12 2016
The following revision refers to this bug:

commit 798e18f5e5cfb672c7f3186f6358b84c5ff7785b
Author: dsinclair <>
Date: Wed Oct 12 20:05:38 2016

Convert from int to float values.

The CPDF_Page::GetDisplayMatrix expects to set float values into the
|display_matrix| but all of the input values are currently int. It is possible
to overflow the int values, so this CL changes the variables to be int which
closer reflects what they're being used for.

BUG= chromium:652038 



Status: Fixed
The undefined behaviour is fixed with comment 11 which is the original reported issue. I have not been able to repro the vector issue. 

If the vector issue persists for you, can you please open a new bug with repro steps?
Project Member Comment 13 by, Oct 12 2016
The following revision refers to this bug:

commit 7db20340321792730c532a8ff9723f1c3ff1e6df
Author: pdfium-deps-roller <>
Date: Wed Oct 12 21:52:30 2016

Roll src/third_party/pdfium/ 8779fa857..52ef14e89 (2 commits).

$ git log 8779fa857..52ef14e89 --date=short --no-merges --format='%ad %ae %s'
2016-10-12 ethannicholas added SkSL to Skia build
2016-10-12 dsinclair Convert from int to float values.

BUG= 652038

Cr-Commit-Position: refs/heads/master@{#424873}


Project Member Comment 14 by, Oct 13 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
 Issue 613030  has been merged into this issue.
Labels: reward-topanel
Project Member Comment 17 by, Oct 21 2016
Labels: Merge-Request-55
Comment 18 by, Oct 21 2016
Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
+awhalley@ for M55 merge review
We've not yet confirmed reproducibility.  I've uploaded to clusterfuzz to see if it has any luck ( &
Ok, please request a merge to M55 when you think it is ready and safe to merge. Thank you.
Labels: -Merge-Review-55 Merge-Request-55
Labels: -Merge-Request-55 Merge-Approved-55
Approving merge to M55 branch 2883. Please merge ASAP. Thank you.
Will merge.
Project Member Comment 25 by, Oct 27 2016
The following revision refers to this bug:

commit 3b3e316594617c9f382b550df881a7448df0afca
Author: Lei Zhang <>
Date: Thu Oct 27 20:53:02 2016

Labels: -Hotlist-Merge-Review -Needs-Feedback -Merge-Approved-55 merge-merged-2883
Labels: -reward-topanel reward-NA
I'm afraid the panel declined to reward as on closer inspection they couldn't determine how the overflow could be exploited.  Sorry about that, though let us know if you have an idea to the contrary.
Labels: M-55
Labels: Release-0-M55
Labels: -Security_Severity-High Security_Severity-Low
Labels: CVE-2016-5223
Project Member Comment 32 by, Jan 19 2017
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Sign in to add a comment