Issue 656559 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Owner:	----
Closed:	Oct 2016
Cc:	mmoroz@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: heap-use-after-free in CPDF_Dictionary::GetDirectObjectFor

Reported by chromium...@gmail.com, Oct 17 2016

Issue description

VERSION
Chrome Version: 56.0.2891.0 canary (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Open http://www.pdf995.com/samples/pdf.pdf
2. Print the page >> Crash!


rax=0000000000000000 rbx=00000000001adc70 rcx=00000000026abdf0
rdx=0000000002cd0032 rsi=0000000000000001 rdi=00000000026ab868
rip=00000000000002d2 rsp=00000000001adb68 rbp=00000000001adc79
 r8=0000000000000000  r9=00000000001adc08 r10=000007fed088ccac
r11=00000000024b5d40 r12=00000000023ce390 r13=00000000001ade90
r14=00000000001ade00 r15=00000000001ade90
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010206
00000000`000002d2 ??              ???
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
*** WARNING: Unable to verify checksum for chrome_child.dll
Child-SP          RetAddr           Call Site
00000000`001adb68 000007fe`cf916711 0x2d2
00000000`001adb70 000007fe`cf916838 chrome_child!CPDF_Dictionary::GetDirectObjectFor+0x19 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\parser\cpdf_dictionary.cpp @ 87]
00000000`001adba0 000007fe`cf8e0d0a chrome_child!CPDF_Dictionary::GetRectFor+0x20 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\parser\cpdf_dictionary.cpp @ 150]
00000000`001adbe0 000007fe`cf8e0bbe chrome_child!`anonymous namespace'::ParserStream+0xde [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdf_flatten.cpp @ 73]
00000000`001adce0 000007fe`cf8e124b chrome_child!`anonymous namespace'::ParserAnnots+0x1ea [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdf_flatten.cpp @ 119]
00000000`001add60 000007fe`cebc9b2f chrome_child!FPDFPage_Flatten+0xc3 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdf_flatten.cpp @ 266]
00000000`001ae030 000007fe`cebcd05d chrome_child!chrome_pdf::PDFiumEngine::GetFlattenedPrintData+0xaf [c:\b\build\slave\win64-pgo\build\src\pdf\pdfium\pdfium_engine.cc @ 1394]
00000000`001ae230 000007fe`cebccdd1 chrome_child!chrome_pdf::PDFiumEngine::PrintPagesAsPDF+0x20d [c:\b\build\slave\win64-pgo\build\src\pdf\pdfium\pdfium_engine.cc @ 1456]
00000000`001ae320 000007fe`cebd4c81 chrome_child!chrome_pdf::PDFiumEngine::PrintPages+0x65 [c:\b\build\slave\win64-pgo\build\src\pdf\pdfium\pdfium_engine.cc @ 1237]
00000000`001ae380 000007fe`ceb8055b chrome_child!chrome_pdf::OutOfProcessInstance::PrintPages+0x45 [c:\b\build\slave\win64-pgo\build\src\pdf\out_of_process_instance.cc @ 748]
00000000`001ae3c0 000007fe`cf02bfb7 chrome_child!pp::`anonymous namespace'::PrintPages+0x6b [c:\b\build\slave\win64-pgo\build\src\ppapi\cpp\dev\printing_dev.cc @ 47]
00000000`001ae440 000007fe`cf02b68e chrome_child!ppapi::proxy::PPP_Printing_Proxy::OnPluginMsgPrintPages+0x5b [c:\b\build\slave\win64-pgo\build\src\ppapi\proxy\ppp_printing_proxy.cc @ 180]
00000000`001ae490 000007fe`cf02bd43 chrome_child!IPC::MessageT<PpapiMsg_PPPPrinting_PrintPages_Meta,std::tuple<int,std::vector<PP_PrintPageNumberRange_Dev,std::allocator<PP_PrintPageNumberRange_Dev> > >,std::tuple<ppapi::HostResource> >::Dispatch<ppapi::proxy::PPP_Printing_Proxy,ppapi::proxy::PPP_Printing_Proxy,void,void (__cdecl ppapi::proxy::PPP_Printing_Proxy::*)(int,std::vector<PP_PrintPageNumberRange_Dev,std::allocator<PP_PrintPageNumberRange_Dev> > const & __ptr64,ppapi::HostResource * __ptr64) __ptr64>+0x10a [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_message_templates.h @ 174]
00000000`001ae560 000007fe`cf021646 chrome_child!ppapi::proxy::PPP_Printing_Proxy::OnMessageReceived+0x1a3 [c:\b\build\slave\win64-pgo\build\src\ppapi\proxy\ppp_printing_proxy.cc @ 138]
00000000`001ae5f0 000007fe`cf022df9 chrome_child!ppapi::proxy::Dispatcher::OnMessageReceived+0x32 [c:\b\build\slave\win64-pgo\build\src\ppapi\proxy\dispatcher.cc @ 70]
00000000`001ae620 000007fe`cddaae08 chrome_child!ppapi::proxy::PluginDispatcher::OnMessageReceived+0x1c9 [c:\b\build\slave\win64-pgo\build\src\ppapi\proxy\plugin_dispatcher.cc @ 252]
00000000`001ae780 000007fe`cd8d7408 chrome_child!IPC::ChannelProxy::Context::OnDispatchMessage+0x28 [c:\b\build\slave\win64-pgo\build\src\ipc\ipc_channel_proxy.cc @ 340]
00000000`001ae7b0 000007fe`cd8d6308 chrome_child!base::debug::TaskAnnotator::RunTask+0x1b8 [c:\b\build\slave\win64-pgo\build\src\base\debug\task_annotator.cc @ 52]
00000000`001ae920 000007fe`cd8d7f41 chrome_child!base::MessageLoop::RunTask+0xbc [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 414]
00000000`001aea40 000007fe`cd8d7bfd chrome_child!base::MessageLoop::DoWork+0x1b1 [c:\b\build\slave\win64-pgo\build\src\base\message_loop\message_loop.cc @ 515]

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Cc: mmoroz@chromium.org
Mergedinto: 656475
Status: Duplicate (was: Unconfirmed)

Thanks for your report. This is a known issue.

Project Member

Comment 2 by sheriffbot@chromium.org, Jan 24 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 656559 link

Issue metadata

Security: heap-use-after-free in CPDF_Dictionary::GetDirectObjectFor

Issue description

Comment 1 by mmoroz@chromium.org, Oct 17 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jan 24 2017

Comment 2 Deleted

Sign in to add a comment