UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.11 Safari/537.36
Steps to reproduce the problem:
1. Download - asan-linux-release-425612
2. Run pdfium_test poc.pdf
3. Wait for crash
What is the expected behavior?
What went wrong?
==25081==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000000520 at pc 0x000002a3e461 bp 0x7ffe6ab7fab0 sp 0x7ffe6ab7faa8
READ of size 8 at 0x60b000000520 thread T0
#0 0x2a3e460 in get buildtools/third_party/libc++/trunk/include/memory:2714:76
#1 0x2a3e460 in GetInterForm third_party/pdfium/fpdfsdk/cpdfsdk_interform.h:36
#2 0x2a3e460 in CPDFSDK_Widget::GetFormControl() const third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:535
#3 0x2a71d27 in CPDFSDK_WidgetHandler::ReleaseAnnot(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/cpdfsdk_widgethandler.cpp:87:41
#4 0x2a3923e in CPDFSDK_PageView::~CPDFSDK_PageView() third_party/pdfium/fpdfsdk/cpdfsdk_pageview.cpp:71:23
#5 0x2a2d4ff in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
#6 0x2a2d4ff in reset buildtools/third_party/libc++/trunk/include/memory:2735
#7 0x2a2d4ff in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703
#8 0x2a2d4ff in ~pair buildtools/third_party/libc++/trunk/include/utility:280
#9 0x2a2d4ff in ~__value_type buildtools/third_party/libc++/trunk/include/map:653
#10 0x2a2d4ff in __destroy<std::__1::__value_type<CPDF_Page *, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > buildtools/third_party/libc++/trunk/include/memory:1673
#11 0x2a2d4ff in destroy<std::__1::__value_type<CPDF_Page *, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > buildtools/third_party/libc++/trunk/include/memory:1536
#12 0x2a2d4ff in std::__1::__tree<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, std::__1::__map_value_compare<CPDF_Page*, std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, std::__1::less<CPDF_Page*>, true>, std::__1::allocator<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > >::destroy(std::__1::__tree_node<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, void*>*) buildtools/third_party/libc++/trunk/include/__tree:1431
#13 0x2a26531 in ~__tree buildtools/third_party/libc++/trunk/include/__tree:1419:5
#14 0x2a26531 in ~map buildtools/third_party/libc++/trunk/include/__tree:1105
#15 0x2a26531 in CPDFSDK_FormFillEnvironment::~CPDFSDK_FormFillEnvironment() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:68
#16 0x2a1c979 in FPDFDOC_ExitFormFillEnvironment third_party/pdfium/fpdfsdk/fpdfformfill.cpp:287:3
#17 0x501018 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:802:3
#18 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
#19 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
0x60b000000520 is located 16 bytes inside of 112-byte region [0x60b000000510,0x60b000000580)
freed by thread T0 here:
#0 0x4f304b in operator delete(void*) (/media/Fuzzing/NodeFuzz/ch/asan-linux-release-425616/pdfium_test+0x4f304b)
#1 0x2a26500 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
#2 0x2a26500 in reset buildtools/third_party/libc++/trunk/include/memory:2735
#3 0x2a26500 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703
#4 0x2a26500 in CPDFSDK_FormFillEnvironment::~CPDFSDK_FormFillEnvironment() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:68
#5 0x2a1c979 in FPDFDOC_ExitFormFillEnvironment third_party/pdfium/fpdfsdk/fpdfformfill.cpp:287:3
#6 0x501018 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:802:3
#7 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
#8 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
#0 0x4f240b in operator new(unsigned long) (/media/Fuzzing/NodeFuzz/ch/asan-linux-release-425616/pdfium_test+0x4f240b)
#1 0x2a2ca12 in MakeUnique<CPDFSDK_InterForm, CPDFSDK_FormFillEnvironment *> third_party/pdfium/third_party/base/ptr_util.h:56:29
#2 0x2a2ca12 in CPDFSDK_FormFillEnvironment::GetInterForm() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:691
#3 0x2a1d9b9 in FormHandleToInterForm third_party/pdfium/fpdfsdk/fpdfformfill.cpp:48:39
#4 0x2a1d9b9 in FPDF_SetFormFieldHighlightColor third_party/pdfium/fpdfsdk/fpdfformfill.cpp:639
#5 0x500e4d in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:771:3
#6 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
#7 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-use-after-free buildtools/third_party/libc++/trunk/include/memory:2714:76 in get
Shadow bytes around the buggy address:
0x0c167fff8050: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c167fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c167fff8070: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c167fff8080: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c167fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c167fff80a0: fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c167fff80b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fff80c0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
0x0c167fff80d0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c167fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff80f0: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25081==ABORTING
Did this work before? N/A
Chrome version: 6.0.2892.0 (Developer Build) (64-bit) Channel: n/a
OS Version: 16.04
Flash Version: Shockwave Flash 23.0 r0
|
Deleted:
poc.pdf
1.7 KB
|
Comment 1 by ClusterFuzz
, Oct 20 2016