New issue
Advanced search Search tips

Issue 655448 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: a crash in pdfium

Reported by seuk...@gmail.com, Oct 13 2016 
VULNERABILITY DETAILS
Find a stack overflow in pdfium decoding xml.

VERSION
Chrome not surpport. Only pdfium infected.

REPRODUCTION CASE
./pdfium_test 8.stack_overflow_1db0c323e.pdf

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: pdfium_test
Crash State: 
**************************************************************
Rendering PDF file /home/fuzzing/8.stack_overflow_1db0c323e.pdf.
Segmentation fault (core dumped)
==============================================================
STACK:
 <0x0000000002a07a99> [_ZN14CFX_BasicArray7SetSizeEi():24]
 <0x000000000349ff1a> [_ZN15CFX_ObjectArrayI14CFX_WideStringE9RemoveAllEv():427]
 <0x000000000373d60a> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
 <0x0000000003738368> [_ZN12CFDE_XMLNode14DeleteChildrenEv():100]
 <0x0000000003738263> [_ZN12CFDE_XMLNodeD1Ev():93]
 <0x000000000373d636> [_ZN15CFDE_XMLElementD1Ev():682]
 <0x000000000373d659> [_ZN15CFDE_XMLElementD0Ev():680]
 <0x000000000373d6e9> [_ZN15CFDE_XMLElement7ReleaseEv():686]
=====================================================================
8.stack_overflow_1db0c323e.pdf
78.2 KB Download

Comment 1 by mmoroz@chromium.org, Oct 13 2016

Labels: Needs-Feedback
The same question as for  bug 655447 . I cannot reproduce with the latest version.

Comment 2 by mbarbe...@chromium.org, Oct 22 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)
Stack overflows tend not to be security issues, and it looks like we were unable to reproduce this on trunk. If you are still able to reproduce this consistently, could you please file a new (non-security) bug for it and include the version you used?

Thanks for the report either way.

Sign in to add a comment