Issue metadata
Sign in to add a comment
|
Security: PDFium (LibTIFF / XFA) Heap Buffer Overflow in FPDFAPI_inflate
Reported by
stackexp...@gmail.com,
Oct 8 2016
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Issue 619399 was not fixed but labeled as verified and security view restrictions have been removed.
So I opened this new issue.
The proof-of-concept files for Issue 619399 have been deleted since it still can be reproducible.
VERSION
Chrome Version: PDFium with XFA enabled
Operating System: All
REPRODUCTION CASE
See attachments.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
==21134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d8d8 at pc 0x0000004ab164 bp 0x7ffc97bfd2f0 sp 0x7ffc97bfcaa0
WRITE of size 52 at 0x60200000d8d8 thread T0
#0 0x4ab163 in __asan_memcpy (/pdfium/out/Debug/pdfium_test+0x4ab163)
#1 0x1f728f8 in FPDFAPI_inflate third_party/zlib_v128/inflate.c:886:17
#2 0x2b1553c in PixarLogDecode third_party/libtiff/tif_pixarlog.c:785:15
#3 0x2ac108f in TIFFReadEncodedTile third_party/libtiff/tif_read.c:668:33
#4 0x2aa1770 in gtTileContig third_party/libtiff/tif_getimage.c:661:10
#5 0x2aa106f in TIFFRGBAImageGet third_party/libtiff/tif_getimage.c:500:12
#6 0x2aa106f in TIFFReadRGBAImageOriented third_party/libtiff/tif_getimage.c:519
#7 0x2a5c4ba in CCodec_TiffContext::Decode(CFX_DIBitmap*) core/fxcodec/codec/fx_codec_tiff.cpp:414:9
#8 0x2a572c4 in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2255:26
#9 0x25f95e3 in XFA_LoadImageFromBuffer(IFX_FileRead*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1166:28
#10 0x25f8e35 in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, int&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1094:7
#11 0x2602ff7 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
#12 0x27b0f16 in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
#13 0x25dbeaa in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
#14 0x25dc3f7 in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
#15 0x1c4e44d in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:416:54
#16 0x1c3c70f in CPDFSDK_Document::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_document.cpp:69:14
#17 0x1c346f3 in FormHandleToPageView fpdfsdk/fpdfformfill.cpp:58:29
#18 0x1c346f3 in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:656
#19 0x4f5125 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:558:3
#20 0x4f58c3 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:572:20
#21 0x4f735d in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:786:9
#22 0x4f8878 in main samples/pdfium_test.cc:916:5
#23 0x7fd7a045382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
0x60200000d8d8 is located 0 bytes to the right of 8-byte region [0x60200000d8d0,0x60200000d8d8)
allocated by thread T0 here:
#0 0x4c238c in __interceptor_malloc (/pdfium/out/Debug/pdfium_test+0x4c238c)
#1 0x2b14ef8 in PixarLogSetupDecode third_party/libtiff/tif_pixarlog.c:692:24
#2 0x2b205e7 in PredictorSetupDecode third_party/libtiff/tif_predict.c:111:7
#3 0x2ac16b4 in TIFFStartTile third_party/libtiff/tif_read.c:1001:8
#4 0x2ac16b4 in TIFFFillTile third_party/libtiff/tif_read.c:901
#5 0x2ac102c in TIFFReadEncodedTile third_party/libtiff/tif_read.c:668:6
#6 0x2aa1770 in gtTileContig third_party/libtiff/tif_getimage.c:661:10
#7 0x2aa106f in TIFFRGBAImageGet third_party/libtiff/tif_getimage.c:500:12
#8 0x2aa106f in TIFFReadRGBAImageOriented third_party/libtiff/tif_getimage.c:519
#9 0x2a5c4ba in CCodec_TiffContext::Decode(CFX_DIBitmap*) core/fxcodec/codec/fx_codec_tiff.cpp:414:9
#10 0x2a572c4 in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2255:26
#11 0x25f95e3 in XFA_LoadImageFromBuffer(IFX_FileRead*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1166:28
#12 0x25f8e35 in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, int&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1094:7
#13 0x2602ff7 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
#14 0x27b0f16 in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
#15 0x25dbeaa in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
#16 0x25dc3f7 in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
#17 0x1c4e44d in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:416:54
#18 0x1c3c70f in CPDFSDK_Document::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_document.cpp:69:14
#19 0x1c346f3 in FormHandleToPageView fpdfsdk/fpdfformfill.cpp:58:29
#20 0x1c346f3 in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:656
#21 0x4f5125 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:558:3
#22 0x4f58c3 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:572:20
#23 0x4f735d in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:786:9
#24 0x4f8878 in main samples/pdfium_test.cc:916:5
#25 0x7fd7a045382f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/pdfium/out/Debug/pdfium_test+0x4ab163) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9b10: fa fa fa fa fa fa fa fa fa fa 00[fa]fa fa fd fa
0x0c047fff9b20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa 00 fa fa fa 00 fa
0x0c047fff9b40: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa fd fa
0x0c047fff9b50: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa 00 00
0x0c047fff9b60: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21134==ABORTING
I'll attach proof-of-concept file to demonstrate that some bytes used to overflow the buffer can be controlled. We can overflow the heap buffer with 40 bytes of 0x41 and 4 bytes of other values.
// --------------------------------------------------
// inflate.c
// --------------------------------------------------
880 case COPY:
881 copy = state->length;
882 if (copy) {
883 if (copy > have) copy = have;
884 if (copy > left) copy = left;
885 if (copy == 0) goto inf_leave;
886 zmemcpy(put, next, copy); // <---------------- Heap Buffer Overflow
887 have -= copy;
888 next += copy;
889 left -= copy;
890 put += copy;
891 state->length -= copy;
892 break;
893 }
894 Tracev((stderr, "inflate: stored end\n"));
895 state->mode = TYPE;
896 break;
0:000> dv
strm = 0x0a742f90
flush = 0n1
in = 0x4a
have = 0x45
ret = 0n0
copy = 0x34
put = 0x0a490ff8 "???" // destination buffer
bits = 0
last = struct code
hold = 0
state = 0x0a0c8430
out = 0x34
here = struct code
next = 0x0a714c48 "???" // source buffer
left = 0x34 // number of bytes to be copied
from = 0x002d70de "???"
len = 0x16f40c
order = unsigned short [19]
0:000> db 0x0a490ff8
0a490ff8 c0 c0 c0 c0 c0 c0 c0 c0-?? ?? ?? ?? ?? ?? ?? ?? ........????????
0a491008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491018 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491028 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491038 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491048 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491058 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0a491068 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:000> db 0x0a714c48
0a714c48 11 01 04 00 01 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA
0a714c58 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0a714c68 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0a714c78 16 01 01 00 01 00 00 00-03 ff e9 00 17 01 01 00 ................
0a714c88 7f 00 00 00 01 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
0a714c98 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
0a714ca8 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
0a714cb8 c0 c0 c0 c0 c0 c0 c0 c0-c0 c0 c0 c0 c0 c0 c0 c0 ................
,
Oct 11 2016
,
Oct 27 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77 commit 8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77 Author: stackexploit <stackexploit@gmail.com> Date: Thu Oct 27 05:40:34 2016 libtiff: Prevent a buffer overflow in function PixarLogDecode. Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG= chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003 [add] https://crrev.com/8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch [modify] https://crrev.com/8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77/third_party/libtiff/README.pdfium [modify] https://crrev.com/8b67b19d7e6dfb8984cc9c92ef59a81cb4edaa77/third_party/libtiff/tif_pixarlog.c
,
Oct 27 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/1c467483d806d3bad9b2d90b581ec055ef7a4684 commit 1c467483d806d3bad9b2d90b581ec055ef7a4684 Author: thestig <thestig@chromium.org> Date: Thu Oct 27 06:55:14 2016 libtiff: Fix unsigned vs signed comparison warning. tif_pixarlog.c revision 1.45. commitid: IX5L3QQ5Qtzcofcz BUG= chromium:654172 Review-Url: https://codereview.chromium.org/2452293002 [modify] https://crrev.com/1c467483d806d3bad9b2d90b581ec055ef7a4684/third_party/libtiff/0009-HeapBufferOverflow-PixarLogDecode.patch [modify] https://crrev.com/1c467483d806d3bad9b2d90b581ec055ef7a4684/third_party/libtiff/tif_pixarlog.c
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9bd38346a12b1038bd00d7ae993f584c772fbc95 commit 9bd38346a12b1038bd00d7ae993f584c772fbc95 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Thu Oct 27 08:34:59 2016 Roll src/third_party/pdfium/ f39074c0a..1c467483d (3 commits). https://pdfium.googlesource.com/pdfium.git/+log/f39074c0ae47..1c467483d806 $ git log f39074c0a..1c467483d --date=short --no-merges --format='%ad %ae %s' 2016-10-26 thestig libtiff: Fix unsigned vs signed comparison warning. 2016-10-26 stackexploit libtiff: Prevent a buffer overflow in function PixarLogDecode. 2016-10-26 tsepez Fix some FX_BOOL / int noise in xfa BUG= 654172 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2458613002 Cr-Commit-Position: refs/heads/master@{#427960} [modify] https://crrev.com/9bd38346a12b1038bd00d7ae993f584c772fbc95/DEPS
,
Nov 4 2016
Hello dsinclair, this issue has been fixed. Could you please help close it now? Thanks.
,
Nov 4 2016
,
Nov 4 2016
,
Feb 10 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2017
,
May 1 2017
,
Aug 29 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Oct 10 2016Labels: M-55 Security_Severity-High Security_Impact-None Pri-2
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)