VULNERABILITY DETAILS
Find a 1 byte OOB READ in pdfium decoding xfa

VERSION
pdfium with asan.

REPRODUCTION CASE
./pdfium_test SIGABRT.PC.7ffff6a73c37.STACK.2a8c125c3.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.pdf

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: pdfium_test
Crash State: 
**************************************************************
Rendering PDF file /home/kimyok/honggfuzz/fuzzing/poc.pdf.
=================================================================
==13633==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000046b3e at pc 0x000003d2036b bp 0x7ffd4a18c550 sp 0x7ffd4a18c548
READ of size 1 at 0x602000046b3e thread T0
    #0 0x3d2036a  (/home/kimyok/pdfium/pdfium_test_asan+0x3d2036a)
    #1 0x3d1bd09  (/home/kimyok/pdfium/pdfium_test_asan+0x3d1bd09)
    #2 0x3d15761  (/home/kimyok/pdfium/pdfium_test_asan+0x3d15761)
    #3 0x3d0186f  (/home/kimyok/pdfium/pdfium_test_asan+0x3d0186f)
    #4 0x3d056b2  (/home/kimyok/pdfium/pdfium_test_asan+0x3d056b2)
    #5 0x35254c5  (/home/kimyok/pdfium/pdfium_test_asan+0x35254c5)
    #6 0x34e1806  (/home/kimyok/pdfium/pdfium_test_asan+0x34e1806)
    #7 0x3524142  (/home/kimyok/pdfium/pdfium_test_asan+0x3524142)
    #8 0x354f523  (/home/kimyok/pdfium/pdfium_test_asan+0x354f523)
    #9 0x3542bec  (/home/kimyok/pdfium/pdfium_test_asan+0x3542bec)
    #10 0x388efe0  (/home/kimyok/pdfium/pdfium_test_asan+0x388efe0)
    #11 0x34fd491  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd491)
    #12 0x34fd58e  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd58e)
    #13 0x24b78a5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b78a5)
    #14 0x24b70e5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b70e5)
    #15 0x243aaee  (/home/kimyok/pdfium/pdfium_test_asan+0x243aaee)
    #16 0x243e53c  (/home/kimyok/pdfium/pdfium_test_asan+0x243e53c)
    #17 0x505d55  (/home/kimyok/pdfium/pdfium_test_asan+0x505d55)
    #18 0x508b2c  (/home/kimyok/pdfium/pdfium_test_asan+0x508b2c)
    #19 0x50b51d  (/home/kimyok/pdfium/pdfium_test_asan+0x50b51d)
    #20 0x7f8a9997bf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

0x602000046b3e is located 0 bytes to the right of 14-byte region [0x602000046b30,0x602000046b3e)
allocated by thread T0 here:
    #0 0x4c11a3  (/home/kimyok/pdfium/pdfium_test_asan+0x4c11a3)
    #1 0xa0cdbc  (/home/kimyok/pdfium/pdfium_test_asan+0xa0cdbc)
    #2 0x3d010e3  (/home/kimyok/pdfium/pdfium_test_asan+0x3d010e3)
    #3 0x3d056b2  (/home/kimyok/pdfium/pdfium_test_asan+0x3d056b2)
    #4 0x35254c5  (/home/kimyok/pdfium/pdfium_test_asan+0x35254c5)
    #5 0x34e1806  (/home/kimyok/pdfium/pdfium_test_asan+0x34e1806)
    #6 0x3524142  (/home/kimyok/pdfium/pdfium_test_asan+0x3524142)
    #7 0x354f523  (/home/kimyok/pdfium/pdfium_test_asan+0x354f523)
    #8 0x3542bec  (/home/kimyok/pdfium/pdfium_test_asan+0x3542bec)
    #9 0x388efe0  (/home/kimyok/pdfium/pdfium_test_asan+0x388efe0)
    #10 0x34fd491  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd491)
    #11 0x34fd58e  (/home/kimyok/pdfium/pdfium_test_asan+0x34fd58e)
    #12 0x24b78a5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b78a5)
    #13 0x24b70e5  (/home/kimyok/pdfium/pdfium_test_asan+0x24b70e5)
    #14 0x243aaee  (/home/kimyok/pdfium/pdfium_test_asan+0x243aaee)
    #15 0x243e53c  (/home/kimyok/pdfium/pdfium_test_asan+0x243e53c)
    #16 0x505d55  (/home/kimyok/pdfium/pdfium_test_asan+0x505d55)
    #17 0x508b2c  (/home/kimyok/pdfium/pdfium_test_asan+0x508b2c)
    #18 0x50b51d  (/home/kimyok/pdfium/pdfium_test_asan+0x50b51d)
    #19 0x7f8a9997bf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kimyok/pdfium/pdfium_test_asan+0x3d2036a) 
Shadow bytes around the buggy address:
  0x0c0480000d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480000d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480000d60: fa fa 00 06 fa fa 00[06]fa fa 00 fa fa fa 00 07
  0x0c0480000d70: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c0480000d80: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa fd fa
  0x0c0480000d90: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa fd fa
  0x0c0480000da0: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fd
  0x0c0480000db0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13633==ABORTING


==============================================================
STACK:
 <0x00007ffff6a77028> [[UNKNOWN]():0]
 <0x00000000004e2506> [_ZN11__sanitizer5AbortEv():0]
 <0x00000000004dd795> [_ZN11__sanitizer3DieEv():0]
 <0x00000000004c8a17> [_ZN6__asan19ScopedInErrorReportD2Ev():0]
 <0x00000000004c8390> [_ZN6__asan18ReportGenericErrorEmmmmbmjb():0]
 <0x00000000004c8bfb> [__asan_report_load1():0]
 <0x0000000003d2036b> [_ZN12_GLOBAL__N_117GetDWord_LSBFirstEPh():18]
 <0x0000000003d1bd0a> [bmp_read_header():85]
 <0x0000000003d15762> [_ZN16CCodec_BmpModule10ReadHeaderEP13FXBMP_ContextPiS2_S2_S2_S2_PPjP16CFX_DIBAttribute():90]
 <0x0000000003d01870> [_ZN25CCodec_ProgressiveDecoder15DetectImageTypeE18FXCODEC_IMAGE_TYPEP16CFX_DIBAttribute():1077]
 <0x0000000003d056b3> [_ZN25CCodec_ProgressiveDecoder13LoadImageInfoEP12IFX_FileRead18FXCODEC_IMAGE_TYPEP16CFX_DIBAttributeb():1338]
 <0x00000000035254c6> [_Z23XFA_LoadImageFromBufferP12IFX_FileRead18FXCODEC_IMAGE_TYPERiS2_():1134]
 <0x00000000034e1807> [GetPDFNamedImage():467]
 <0x0000000003524143> [_Z17XFA_LoadImageDataP10CXFA_FFDocP10CXFA_ImageRiS3_S3_():1077]
 <0x000000000354f524> [_ZN20CXFA_ImageLayoutData13LoadImageDataEP14CXFA_WidgetAcc():97]
 <0x0000000003542bed> [LoadImageImage():999]
 <0x000000000388efe1> [_ZN12CXFA_FFImage10LoadWidgetEv():28]
 <0x00000000034fd492> [_ZN25CXFA_FFPageWidgetIterator9GetWidgetEP15CXFA_LayoutItem():192]
 <0x00000000034fd58f> [_ZN25CXFA_FFPageWidgetIterator10MoveToNextEv():162]
 <0x00000000024b78a6> [LoadFXAnnots():930]
 <0x00000000024b70e6> [GetPageView():278]
 <0x000000000243aaef> [_ZN12_GLOBAL__N_120FormHandleToPageViewEPvS0_():44]
 <0x000000000243e53d> [FORM_OnAfterLoadPage():641]
 <0x0000000000505d56> [RenderPage():536]
 <0x0000000000508b2d> [_Z9RenderPdfRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPKcmRK7OptionsS7_():736]
 <0x000000000050b51e> [main():879]
 <0x00007ffff6a5ef45> [[UNKNOWN]():0]
 <0x0000000000423035> [_start():0]
 <0x0000000000000000> [[UNKNOWN]():0]
=====================================================================
 

Deleted: poc.pdf 13.4 KB

poc.pdf 13.4 KB Download