Issue metadata
Sign in to add a comment
|
Security: PDFium (XFA) Heap Buffer Overflow in CGifLZWDecoder::AddCode
Reported by
stackexp...@gmail.com,
Oct 8 2016
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Issue 617092 was not fixed but labeled as verified and security view restrictions have been removed.
So I opened this new issue.
The proof-of-concept files for Issue 617092 have been deleted since it still can be reproducible.
VERSION
Chrome Version: PDFium with XFA enabled
Operating System: All
REPRODUCTION CASE
See attachments.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
==21208==ERROR: AddressSanitizer: SEGV on unknown address 0x62a000047208 (pc 0x000002a68150 bp 0x7ffe62f43520 sp 0x7ffe62f43450 T0)
==21208==The signal is caused by a WRITE memory access.
#0 0x2a6814f in AddCode core/fxcodec/lgif/fx_gif.cpp:76:32
#1 0x2a6814f in CGifLZWDecoder::Decode(unsigned char*, unsigned int&) core/fxcodec/lgif/fx_gif.cpp:139
#2 0x2a6df86 in gif_load_frame(tag_gif_decompress_struct*, int) core/fxcodec/lgif/fx_gif.cpp:984:34
#3 0x2a5e9e2 in CCodec_GifModule::LoadFrame(FXGIF_Context*, int, CFX_DIBAttribute*) core/fxcodec/codec/fx_codec_gif.cpp:146:17
#4 0x2a5695d in CCodec_ProgressiveDecoder::ContinueDecode(IFX_Pause*) core/fxcodec/codec/fx_codec_progress.cpp:2169:25
#5 0x25f95e3 in XFA_LoadImageFromBuffer(IFX_FileRead*, FXCODEC_IMAGE_TYPE, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1166:28
#6 0x25f8e35 in XFA_LoadImageData(CXFA_FFDoc*, CXFA_Image*, int&, int&, int&) xfa/fxfa/app/xfa_ffwidget.cpp:1094:7
#7 0x2602ff7 in CXFA_ImageLayoutData::LoadImageData(CXFA_WidgetAcc*) xfa/fxfa/app/xfa_ffwidgetacc.cpp:97:25
#8 0x27b0f16 in CXFA_FFImage::LoadWidget() xfa/fxfa/app/xfa_ffimage.cpp:27:17
#9 0x25dbeaa in CXFA_FFPageWidgetIterator::GetWidget(CXFA_LayoutItem*) xfa/fxfa/app/xfa_ffpageview.cpp:208:16
#10 0x25dc3f7 in CXFA_FFPageWidgetIterator::MoveToNext() xfa/fxfa/app/xfa_ffpageview.cpp:178:34
#11 0x1c4e44d in CPDFSDK_PageView::LoadFXAnnots() fpdfsdk/cpdfsdk_pageview.cpp:416:54
#12 0x1c3c70f in CPDFSDK_Document::GetPageView(CPDFXFA_Page*, bool) fpdfsdk/cpdfsdk_document.cpp:69:14
#13 0x1c346f3 in FormHandleToPageView fpdfsdk/fpdfformfill.cpp:58:29
#14 0x1c346f3 in FORM_OnAfterLoadPage fpdfsdk/fpdfformfill.cpp:656
#15 0x4f5125 in GetPageForIndex(_FPDF_FORMFILLINFO*, void*, int) samples/pdfium_test.cc:558:3
#16 0x4f58c3 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*&, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:572:20
#17 0x4f735d in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:786:9
#18 0x4f8878 in main samples/pdfium_test.cc:916:5
#19 0x7fad26ac282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV core/fxcodec/lgif/fx_gif.cpp:76:32 in AddCode
==21208==ABORTING
,
Oct 11 2016
,
May 16 2017
,
May 16 2017
This is an XFA bug. XFA is not enabled on any branch of chrome.
,
May 16 2017
,
May 17 2017
Fixed by https://pdfium-review.googlesource.com/c/5513/
,
May 18 2017
,
Aug 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 29 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Oct 10 2016Labels: M-55 Security_Severity-High Security_Impact-None OS-All Pri-2
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)