ERROR: AddressSanitizer: stack-overflow on address XXXX
Reported by
saintl...@gmail.com,
Oct 3 2016
|
||||
Issue description
VULNERABILITY DETAILS
The attached testcase could lead to crash the asan build of pdfium_test as follows:
VERSION
Chrome Version: pdfium_test (master branch)
Operating System: Ubuntu 16.04
[ASAN BUILD LOG]
==> sample2.pdf.dup.txt <==
Rendering PDF file sample2.pdf.dup.
ASAN:DEADLYSIGNAL
=================================================================
==42951==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc54d46f88 (pc 0x00000042fdcc bp 0x7ffc54d477f0 sp 0x7ffc54d46f90 T0)
#0 0x42fdcb in memchr (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x42fdcb)
#1 0x6d38d8 in CPDF_StreamContentParser::AddNameParam(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6d38d8)
#2 0x6ed4f3 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6ed4f3)
#3 0x5edcce in CPDF_ContentParser::Continue(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5edcce)
#4 0x5d84ec in CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d84ec)
#5 0x5c0e85 in CPDF_Type3Font::LoadChar(unsigned int, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5c0e85)
==> sample3.pdf.txt <==
Rendering PDF file sample3.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42959==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe78bdbfd8 (pc 0x00000042fdcc bp 0x7ffe78bdc840 sp 0x7ffe78bdbfe0 T0)
#0 0x42fdcb in memchr (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x42fdcb)
#1 0x987cce in FX_atonum(CFX_StringCTemplate<char> const&, void*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x987cce)
#2 0x6d3e18 in CPDF_StreamContentParser::AddNumberParam(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6d3e18)
#3 0x6ed640 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x6ed640)
#4 0x5edcce in CPDF_ContentParser::Continue(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5edcce)
#5 0x5d84ec in CPDF_PageObjectHolder::ContinueParse(IFX_Pause*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d84ec)
==> sample4.pdf.txt <==
Rendering PDF file sample4.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42965==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd787a1fd8 (pc 0x0000004a671a bp 0x7ffd787a2830 sp 0x7ffd787a1fe0 T0)
#0 0x4a6719 in __asan_memset (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x4a6719)
#1 0x8e1120 in FPDFAPI_inflate_table (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x8e1120)
#2 0x8da926 in FPDFAPI_inflate (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x8da926)
#3 0x73a392 in CCodec_FlateModule::FlateOrLZWDecode(int, unsigned char const*, unsigned int, int, int, int, int, int, unsigned int, unsigned char*&, unsigned int&) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x73a392)
#4 0x648655 in FPDFAPI_FlateOrLZWDecode(int, unsigned char const*, unsigned int, CPDF_Dictionary*, unsigned int, unsigned char*&, unsigned int&) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x648655)
#5 0x648f7f in PDF_DataDecode(unsigned char const*, unsigned int, CPDF_Dictionary const*, unsigned char*&, unsigned int&, CFX_ByteString&, CPDF_Dictionary*&, unsigned int, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x648f7f)
==> sample5.pdf.txt <==
Rendering PDF file sample5.pdf.
ASAN:DEADLYSIGNAL
=================================================================
==42970==ERROR: AddressSanitizer: stack-overflow on address 0x7fffa6fb7ff8 (pc 0x000000420ca9 bp 0x7fffa6fb88c0 sp 0x7fffa6fb8000 T0)
#0 0x420ca8 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x420ca8)
#1 0x41fdc8 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x41fdc8)
#2 0x4bd93b in calloc (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x4bd93b)
#3 0x972ce5 in CFX_StringDataTemplate<char>::Create(int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x972ce5)
#4 0x973cb0 in CFX_ByteString::CFX_ByteString(char const*, int) (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x973cb0)
#5 0x5d8f9f in CPDF_PageObjectHolder::LoadTransInfo() (/mnt/hgfs/vm_share/pdfium_fuzzer/pdfium_test.asan+0x5d8f9f)
It looks like this bug https://bugs.chromium.org/p/chromium/issues/detail?id=547537
I've attached some pdf files what I used.
+ all of files could lead to crash when chrome opens the file.
Thanks
-Alex
,
Oct 3 2016
,
Oct 4 2016
Oh, I got it. Thanks, - Alex
,
Oct 4 2016
,
Oct 4 2016
Looks they are all fixed in the newest build. Pls sync your pdfium to newest. If still have problem, feel free to reopen it. |
||||
►
Sign in to add a comment |
||||
Comment 1 by kenrb@chromium.org
, Oct 3 2016Components: Internals>Plugins>PDF
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: ERROR: AddressSanitizer: stack-overflow on address XXXX (was: Security: ERROR: AddressSanitizer: stack-overflow on address XXXX)