New issue
Advanced search Search tips

Issue 655106 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 616669
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: a heap-buffer-overflow in pdfium

Reported by seuk...@gmail.com, Oct 12 2016

Issue description

VULNERABILITY DETAILS
I found a heap-buffer-overflow when fuzzing pdfium_test with asan.But this case can't be triggered in pdfium_test without asan. I am not sure whether it could be exploited.

VERSION
latest version of pdfium(Oct 10th)

REPRODUCTION CASE
run "pdfium_test_asan poc.pdf"

HONGGFUZZ BACKTRACE INFO
=====================================================================
FUZZER ARGS:
 flipRate     : 0.000500
 externalCmd  : NULL
 fuzzStdin    : FALSE
 timeout      : 10 (sec)
 ignoreAddr   : (nil)
 memoryLimit  : 0 (MiB)
 targetPid    : 0
 targetCmd    : (null)
 wordlistFile : NULL
 dynFileMethod: NONE
 fuzzTarget   : /home/kimyok/pdfium/pdfium_test_asan -D ___FILE___ 
ORIG_FNAME: png2.pdf
FUZZ_FNAME: ./SIGABRT.PC.7ffff6a73c37.STACK.14741381d7.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.pdf
PID: 15663
SIGNAL: SIGABRT (6)
FAULT ADDRESS: (nil)
INSTRUCTION: cmp____$0xfffffffffffff000,%rax
STACK HASH: 00000014741381d7
STACK:
 <0x00007ffff6a77028> [[UNKNOWN]():0]
 <0x00000000004e2506> [_ZN11__sanitizer5AbortEv():0]
 <0x00000000004dd795> [_ZN11__sanitizer3DieEv():0]
 <0x00000000004c8a17> [_ZN6__asan19ScopedInErrorReportD2Ev():0]
 <0x00000000004c8390> [_ZN6__asan18ReportGenericErrorEmmmmbmjb():0]
 <0x00000000004c8bfb> [__asan_report_load1():0]
 <0x0000000003d2036b> [_ZN12_GLOBAL__N_117GetDWord_LSBFirstEPh():18]
 <0x0000000003d1bd0a> [bmp_read_header():85]
 <0x0000000003d15762> [_ZN16CCodec_BmpModule10ReadHeaderEP13FXBMP_ContextPiS2_S2_S2_S2_PPjP16CFX_DIBAttribute():90]
 <0x0000000003d01870> [_ZN25CCodec_ProgressiveDecoder15DetectImageTypeE18FXCODEC_IMAGE_TYPEP16CFX_DIBAttribute():1077]
 <0x0000000003d056b3> [_ZN25CCodec_ProgressiveDecoder13LoadImageInfoEP12IFX_FileRead18FXCODEC_IMAGE_TYPEP16CFX_DIBAttributeb():1338]
 <0x00000000035254c6> [_Z23XFA_LoadImageFromBufferP12IFX_FileRead18FXCODEC_IMAGE_TYPERiS2_():1134]
 <0x00000000034e1807> [GetPDFNamedImage():467]
 <0x0000000003524143> [_Z17XFA_LoadImageDataP10CXFA_FFDocP10CXFA_ImageRiS3_S3_():1077]
 <0x000000000354f524> [_ZN20CXFA_ImageLayoutData13LoadImageDataEP14CXFA_WidgetAcc():97]
 <0x0000000003542bed> [LoadImageImage():999]
 <0x000000000388efe1> [_ZN12CXFA_FFImage10LoadWidgetEv():28]
 <0x00000000034fd492> [_ZN25CXFA_FFPageWidgetIterator9GetWidgetEP15CXFA_LayoutItem():192]
 <0x00000000034fd58f> [_ZN25CXFA_FFPageWidgetIterator10MoveToNextEv():162]
 <0x00000000024b78a6> [LoadFXAnnots():930]
 <0x00000000024b70e6> [GetPageView():278]
 <0x000000000243aaef> [_ZN12_GLOBAL__N_120FormHandleToPageViewEPvS0_():44]
 <0x000000000243e53d> [FORM_OnAfterLoadPage():641]
 <0x0000000000505d56> [RenderPage():536]
 <0x0000000000508b2d> [_Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_():736]
 <0x000000000050b51e> [main():879]
 <0x00007ffff6a5ef45> [[UNKNOWN]():0]
 <0x0000000000423035> [_start():0]
 <0x0000000000000000> [[UNKNOWN]():0]
=====================================================================

ASAN INFO
=====================================================================
==13633==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000046b3e at pc 0x000003d2036b bp 0x7ffd4a18c550 sp 0x7ffd4a18c548
READ of size 1 at 0x602000046b3e thread T0
    #0 0x3d2036a  (/home/kimyok/pdfium/pdfium_test_asan+0x3d2036a)
    #1 0x3d1bd09  (/home/kimyok/pdfium/pdfium_test_asan+0x3d1bd09)
    #2 0x3d15761  (/home/kimyok/pdfium/pdfium_test_asan+0x3d15761)
    #3 0x3d0186f  (/home/kimyok/pdfium/pdfium_test_asan+0x3d0186f)
    #4 0x3d056b2  (/home/kimyok/pdfium/pdfium_test_asan+0x3d056b2)
    #5 0x35254c5  (/home/kimyok/pdfium/pdfium_test_asan+0x35254c5)
    #6 0x34e1806  (/home/kimyok/pdfium/pdfium_test_asan+0x34e1806)
    #7 0x3524142  (/home/kimyok/pdfium/pdfium_test_asan+0x3524142)
    #8 0x354f523  (/home/kimyok/pdfium/pdfium_test_asan+0x354f523)
    #9 0x3542bec  (/home/kimyok/pdfium/pdfium_test_asan+0x3542bec)
    #10 0x388efe0  (/home/kimyok/pdfium/pdfium_test_asan+0x388efe0)
    #11 0x34fd491  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd491)
    #12 0x34fd58e  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd58e)
    #13 0x24b78a5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b78a5)
    #14 0x24b70e5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b70e5)
    #15 0x243aaee  (/home/kimyok/pdfium/pdfium_test_asan+0x243aaee)
    #16 0x243e53c  (/home/kimyok/pdfium/pdfium_test_asan+0x243e53c)
    #17 0x505d55  (/home/kimyok/pdfium/pdfium_test_asan+0x505d55)
    #18 0x508b2c  (/home/kimyok/pdfium/pdfium_test_asan+0x508b2c)
    #19 0x50b51d  (/home/kimyok/pdfium/pdfium_test_asan+0x50b51d)
    #20 0x7f8a9997bf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

0x602000046b3e is located 0 bytes to the right of 14-byte region [0x602000046b30,0x602000046b3e)
allocated by thread T0 here:
    #0 0x4c11a3  (/home/kimyok/pdfium/pdfium_test_asan+0x4c11a3)
    #1 0xa0cdbc  (/home/kimyok/pdfium/pdfium_test_asan+0xa0cdbc)
    #2 0x3d010e3  (/home/kimyok/pdfium/pdfium_test_asan+0x3d010e3)
    #3 0x3d056b2  (/home/kimyok/pdfium/pdfium_test_asan+0x3d056b2)
    #4 0x35254c5  (/home/kimyok/pdfium/pdfium_test_asan+0x35254c5)
    #5 0x34e1806  (/home/kimyok/pdfium/pdfium_test_asan+0x34e1806)
    #6 0x3524142  (/home/kimyok/pdfium/pdfium_test_asan+0x3524142)
    #7 0x354f523  (/home/kimyok/pdfium/pdfium_test_asan+0x354f523)
    #8 0x3542bec  (/home/kimyok/pdfium/pdfium_test_asan+0x3542bec)
    #9 0x388efe0  (/home/kimyok/pdfium/pdfium_test_asan+0x388efe0)
    #10 0x34fd491  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd491)
    #11 0x34fd58e  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd58e)
    #12 0x24b78a5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b78a5)
    #13 0x24b70e5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b70e5)
    #14 0x243aaee  (/home/kimyok/pdfium/pdfium_test_asan+0x243aaee)
    #15 0x243e53c  (/home/kimyok/pdfium/pdfium_test_asan+0x243e53c)
    #16 0x505d55  (/home/kimyok/pdfium/pdfium_test_asan+0x505d55)
    #17 0x508b2c  (/home/kimyok/pdfium/pdfium_test_asan+0x508b2c)
    #18 0x50b51d  (/home/kimyok/pdfium/pdfium_test_asan+0x50b51d)
    #19 0x7f8a9997bf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kimyok/pdfium/pdfium_test_asan+0x3d2036a) 
Shadow bytes around the buggy address:
  0x0c0480000d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480000d60: fa fa 00 06 fa fa 00[06]fa fa 00 fa fa fa 00 07
  0x0c0480000d70: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c0480000d80: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa fd fa
  0x0c0480000d90: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa fd fa
  0x0c0480000da0: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fd
  0x0c0480000db0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13633==ABORTING


 
poc.pdf
13.4 KB Download

Comment 1 by mmoroz@chromium.org, Oct 12 2016

Mergedinto: 616669
Status: Duplicate (was: Unconfirmed)
Thanks for your report. Unfortunately, this is a known issue.
Project Member

Comment 2 by sheriffbot@chromium.org, May 9 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment