New issue
Advanced search Search tips

Issue 657258 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 653459
Owner: ----
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

[Pdfium]AddressSanitizer: heap-use-after-free on address 0x60b000000520

Reported by marcin.t...@gmail.com, Oct 19 2016

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.11 Safari/537.36

Steps to reproduce the problem:
1. Download - asan-linux-release-425612 
2. Run pdfium_test poc.pdf
3. Wait for crash

What is the expected behavior?

What went wrong?
==25081==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000000520 at pc 0x000002a3e461 bp 0x7ffe6ab7fab0 sp 0x7ffe6ab7faa8
READ of size 8 at 0x60b000000520 thread T0
    #0 0x2a3e460 in get buildtools/third_party/libc++/trunk/include/memory:2714:76
    #1 0x2a3e460 in GetInterForm third_party/pdfium/fpdfsdk/cpdfsdk_interform.h:36
    #2 0x2a3e460 in CPDFSDK_Widget::GetFormControl() const third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:535
    #3 0x2a71d27 in CPDFSDK_WidgetHandler::ReleaseAnnot(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/cpdfsdk_widgethandler.cpp:87:41
    #4 0x2a3923e in CPDFSDK_PageView::~CPDFSDK_PageView() third_party/pdfium/fpdfsdk/cpdfsdk_pageview.cpp:71:23
    #5 0x2a2d4ff in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #6 0x2a2d4ff in reset buildtools/third_party/libc++/trunk/include/memory:2735
    #7 0x2a2d4ff in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703
    #8 0x2a2d4ff in ~pair buildtools/third_party/libc++/trunk/include/utility:280
    #9 0x2a2d4ff in ~__value_type buildtools/third_party/libc++/trunk/include/map:653
    #10 0x2a2d4ff in __destroy<std::__1::__value_type<CPDF_Page *, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > buildtools/third_party/libc++/trunk/include/memory:1673
    #11 0x2a2d4ff in destroy<std::__1::__value_type<CPDF_Page *, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > buildtools/third_party/libc++/trunk/include/memory:1536
    #12 0x2a2d4ff in std::__1::__tree<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, std::__1::__map_value_compare<CPDF_Page*, std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, std::__1::less<CPDF_Page*>, true>, std::__1::allocator<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > > > >::destroy(std::__1::__tree_node<std::__1::__value_type<CPDF_Page*, std::__1::unique_ptr<CPDFSDK_PageView, std::__1::default_delete<CPDFSDK_PageView> > >, void*>*) buildtools/third_party/libc++/trunk/include/__tree:1431
    #13 0x2a26531 in ~__tree buildtools/third_party/libc++/trunk/include/__tree:1419:5
    #14 0x2a26531 in ~map buildtools/third_party/libc++/trunk/include/__tree:1105
    #15 0x2a26531 in CPDFSDK_FormFillEnvironment::~CPDFSDK_FormFillEnvironment() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:68
    #16 0x2a1c979 in FPDFDOC_ExitFormFillEnvironment third_party/pdfium/fpdfsdk/fpdfformfill.cpp:287:3
    #17 0x501018 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:802:3
    #18 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
    #19 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

0x60b000000520 is located 16 bytes inside of 112-byte region [0x60b000000510,0x60b000000580)
freed by thread T0 here:
    #0 0x4f304b in operator delete(void*) (/media/Fuzzing/NodeFuzz/ch/asan-linux-release-425616/pdfium_test+0x4f304b)
    #1 0x2a26500 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
    #2 0x2a26500 in reset buildtools/third_party/libc++/trunk/include/memory:2735
    #3 0x2a26500 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703
    #4 0x2a26500 in CPDFSDK_FormFillEnvironment::~CPDFSDK_FormFillEnvironment() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:68
    #5 0x2a1c979 in FPDFDOC_ExitFormFillEnvironment third_party/pdfium/fpdfsdk/fpdfformfill.cpp:287:3
    #6 0x501018 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:802:3
    #7 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
    #8 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4f240b in operator new(unsigned long) (/media/Fuzzing/NodeFuzz/ch/asan-linux-release-425616/pdfium_test+0x4f240b)
    #1 0x2a2ca12 in MakeUnique<CPDFSDK_InterForm, CPDFSDK_FormFillEnvironment *> third_party/pdfium/third_party/base/ptr_util.h:56:29
    #2 0x2a2ca12 in CPDFSDK_FormFillEnvironment::GetInterForm() third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:691
    #3 0x2a1d9b9 in FormHandleToInterForm third_party/pdfium/fpdfsdk/fpdfformfill.cpp:48:39
    #4 0x2a1d9b9 in FPDF_SetFormFieldHighlightColor third_party/pdfium/fpdfsdk/fpdfformfill.cpp:639
    #5 0x500e4d in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:771:3
    #6 0x5029e5 in main third_party/pdfium/samples/pdfium_test.cc:928:5
    #7 0x7fec97a3bf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free buildtools/third_party/libc++/trunk/include/memory:2714:76 in get
Shadow bytes around the buggy address:
  0x0c167fff8050: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c167fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c167fff8070: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c167fff8080: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c167fff80a0: fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c167fff80b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c167fff80c0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
  0x0c167fff80d0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c167fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c167fff80f0: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25081==ABORTING

Did this work before? N/A 

Chrome version: 6.0.2892.0 (Developer Build) (64-bit)  Channel: n/a
OS Version: 16.04
Flash Version: Shockwave Flash 23.0 r0
 
poc.pdf
1.7 KB Download
Project Member

Comment 1 by ClusterFuzz, Oct 20 2016

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4550583749181440
Mergedinto: 653459
Status: Duplicate (was: Unconfirmed)
Looks like a duplicate of  issue 653459 . Doesn't reproduce on tip of tree.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 29 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment