Crash PDF viewer all tab loading PDF contains an illegal JPEG2000 image (2017-05)
Reported by
pal...@us.ibm.com,
Jan 4 2017
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12 Steps to reproduce the problem: Summary of the issue: A specially-crafted PDF file which contains a specially-crafted illegal JPEG2000 image will cause Chrome’s PDF viewer (pdfium) to crash and show the sad tab icon on a black background. No “Failed to load PDF document” error is displayed. After such a crash, all open tabs which had PDFs in them are crashed too (turn into black background with white sad tab icon). This suggests that the isolation between the tabs running the PDF viewer is not adequate. See attached files What is the expected behavior? Summary of the issue: A specially-crafted PDF file which contains a specially-crafted illegal JPEG2000 image will cause Chrome’s PDF viewer (pdfium) to crash and show the sad tab icon on a black background. No “Failed to load PDF document” error is displayed. After such a crash, all open tabs which had PDFs in them are crashed too (turn into black background with white sad tab icon). This suggests that the isolation between the tabs running the PDF viewer is not adequate. What went wrong? Explanation: The attached poc1.zip (password: infected) contains poc1.pdf which causes this issue when opened in Chrome. The PDF file is a simple wrapping around the malformed JPEG2000 image poc1.j2k (also in the ZIP file). The underlying bug is in OpenJPEG’s decoding, and can be seen when running OpenJPEG’s opj_dump (or opj_decompress) on the poc1.j2k image file. For example: $ ./opj_dump -i poc1.j2k Crashed report ID: No How much crashed? Just one tab Is it a problem with a plugin? N/A Did this work before? N/A Chrome version: Google Chrome 55 Channel: n/a OS Version: 7 64 Bit Flash Version: Credit to Dov Murik of IBM
,
Jan 6 2017
Issue 678344 has been merged into this issue.
,
Jan 6 2017
Please add M56 stable blocker if reproducible.
,
Jan 6 2017
Able to reproduce the issue on win7 chrome version 55.0.2883.87 and 57.0.2973.0 - Pdf crash and show the sad tab icon on a black background and all open tabs which had PDFs also crashed Crash ID : eb9c02c480000000 This is working fine on firefox browser This is a non regression issue existing since M40 40.0.2172.0 to latest canary
,
Jan 9 2017
From my researcher: They conclude that the two issues are the same: while they look the same to the end-user, they crash in two different code locations and different crash reasons ( Issue 678342 is a null pointer dereference and Issue 678344 is a use-after-free memory access violation).
,
Jan 9 2017
As per the crash stats, only 2 reports as of now. 57.0.2973.0 50.00% 1 55.0.2883.87 50.00% 1 Link to the build which introduced the crash. https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27ppapi%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27opj_read_bytes_LE%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion Assigning to Lei since few the top stack refers to his CL. Also moving to M57 since M56 is close to Stable release.
,
Jan 20 2017
,
Jan 23 2017
,
Jan 24 2017
Has this problem been reported upstream?
,
Jan 24 2017
It has been reported to OpenJPEG as well as to you all.
,
Jan 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cd207440f74f112ed24d1e72b63fddbca063dcc9 commit cd207440f74f112ed24d1e72b63fddbca063dcc9 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Jan 24 19:22:06 2017 Roll src/third_party/pdfium/ e73fea598..8804940c9 (6 commits). https://pdfium.googlesource.com/pdfium.git/+log/e73fea598f08..8804940c9a39 $ git log e73fea598..8804940c9 --date=short --no-merges --format='%ad %ae %s' 2017-01-24 npm Check m_data!=null when adding mct 2017-01-23 npm Fix CPDF_InterForm::CheckRequiredFields and its callers. 2017-01-23 dsinclair Track CFDE_CSSComputedStyle with retained ptrs 2017-01-23 dsinclair Cleanup memory in CFDE_CSSRuleCollection 2017-01-23 dsinclair Remove ID, Class and Universal selector code 2017-01-24 tsepez Use std::vector for CFX_RectF arrays BUG= 678342 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2647363004 Cr-Commit-Position: refs/heads/master@{#445777} [modify] https://crrev.com/cd207440f74f112ed24d1e72b63fddbca063dcc9/DEPS
,
Jan 24 2017
Thanks npm for the fix. I'm not sure this solves also Issue 678344 (which was merged into this one). Look at attachment poc2.zip in issue 678344 for a PDF that causes that crash.
,
Jan 24 2017
I'm unable to reproduce that one now even without the fix for this bug. We have fixed several libopenjpeg bugs in the last couple of weeks. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ajha@chromium.org
, Jan 6 2017Labels: Needs-Triage-M55