New issue
Advanced search Search tips

Issue 652271 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

ERROR: AddressSanitizer: stack-overflow on address XXXX

Reported by saintl...@gmail.com, Oct 3 2016

Issue description

VULNERABILITY DETAILS
The attached testcase could lead to crash the asan build of pdfium_test as follows:

VERSION
Chrome Version: pdfium_test (master branch)
Operating System: Ubuntu 16.04

[ASAN BUILD LOG]
==> sample2.pdf.dup.txt <==
Rendering PDF file sample2.pdf.dup.
ASAN:DEADLYSIGNAL
=================================================================
==42951==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc54d46f88 (pc 0x00000042fdcc bp 0x7ffc54d477f0 sp 0x7ffc54d46f90 T0)
    #0 0x42fdcb in memchr (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x42fdcb)
    #1 0x6d38d8 in CPDF_StreamContentParser::AddNameParam(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6d38d8)
    #2 0x6ed4f3 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6ed4f3)
    #3 0x5edcce in CPDF_ContentParser::Continue(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5edcce)
    #4 0x5d84ec in CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d84ec)
    #5 0x5c0e85 in CPDF_Type3Font::LoadChar(unsigned int, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5c0e85)

==> sample3.pdf.txt <==
Rendering PDF file sample3.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42959==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe78bdbfd8 (pc 0x00000042fdcc bp 0x7ffe78bdc840 sp 0x7ffe78bdbfe0 T0)
    #0 0x42fdcb in memchr (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x42fdcb)
    #1 0x987cce in FX_atonum(CFX_StringCTemplate<char> const&, void*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x987cce)
    #2 0x6d3e18 in CPDF_StreamContentParser::AddNumberParam(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6d3e18)
    #3 0x6ed640 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6ed640)
    #4 0x5edcce in CPDF_ContentParser::Continue(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5edcce)
    #5 0x5d84ec in CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d84ec)

==> sample4.pdf.txt <==
Rendering PDF file sample4.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42965==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd787a1fd8 (pc 0x0000004a671a bp 0x7ffd787a2830 sp 0x7ffd787a1fe0 T0)
    #0 0x4a6719 in __asan_memset (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x4a6719)
    #1 0x8e1120 in FPDFAPI_inflate_table (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x8e1120)
    #2 0x8da926 in FPDFAPI_inflate (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x8da926)
    #3 0x73a392 in CCodec_FlateModule::FlateOrLZWDecode(int, unsigned char const*, unsigned int, int, int, int, int, int, unsigned int, unsigned char*&, unsigned int&) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x73a392)
    #4 0x648655 in FPDFAPI_FlateOrLZWDecode(int, unsigned char const*, unsigned int, CPDF_Dictionary*, unsigned int, unsigned char*&, unsigned int&) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x648655)
    #5 0x648f7f in PDF_DataDecode(unsigned char const*, unsigned int, CPDF_Dictionary const*, unsigned char*&, unsigned int&, CFX_ByteString&, CPDF_Dictionary*&, unsigned int, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x648f7f)

==> sample5.pdf.txt <==
Rendering PDF file sample5.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42970==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6fb7ff8 (pc 0x000000420ca9 bp 0x7fffa6fb88c0 sp 0x7fffa6fb8000 T0)
    #0 0x420ca8 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x420ca8)
    #1 0x41fdc8 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x41fdc8)
    #2 0x4bd93b in calloc (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x4bd93b)
    #3 0x972ce5 in CFX_StringDataTemplate<char>::Create(int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x972ce5)
    #4 0x973cb0 in CFX_ByteString::CFX_ByteString(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x973cb0)
    #5 0x5d8f9f in CPDF_PageObjectHolder::LoadTransInfo() (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d8f9f)

It looks like this bug https://bugs.chromium.org/p/chromium/issues/detail?id=547537

I've attached some pdf files what I used.
+ all of files could lead to crash when chrome opens the file.

Thanks
-Alex
 
sample2.pdf.dup
254 bytes Download
sample3.pdf
267 bytes Download
sample4.pdf
379 bytes Download
sample5.pdf
219 bytes Download

Comment 1 by kenrb@chromium.org, Oct 3 2016

Cc: tsepez@chromium.org dsinclair@chromium.org och...@chromium.org
Components: Internals>Plugins>PDF
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: ERROR: AddressSanitizer: stack-overflow on address XXXX (was: Security: ERROR: AddressSanitizer: stack-overflow on address XXXX)
I can verify crashes, but stack overflows are not security issues because they tend to be just infinite loops exhausting the maximum process stack size.
Cc: weili@chromium.org
Oh, I got it.

Thanks,
- Alex

Comment 4 by weili@chromium.org, Oct 4 2016

Cc: -weili@chromium.org
Owner: weili@chromium.org
Status: Assigned (was: Untriaged)

Comment 5 by weili@chromium.org, Oct 4 2016

Status: Fixed (was: Assigned)
Looks they are all fixed in the newest build. Pls sync your pdfium to newest. If still have problem, feel free to reopen it.

Sign in to add a comment