Issue metadata
Sign in to add a comment
|
Crash PDF viewer when loading PDF which contains an illegal JPEG2000 image (2017-06)
Reported by
pal...@us.ibm.com,
Jan 4 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12 Steps to reproduce the problem: Summary of the issue: A specially-crafted PDF file which contains a specially-crafted illegal JPEG2000 image will cause Chrome’s PDF viewer (pdfium) to crash and show the sad tab icon on a black background. No “Failed to load PDF document” error is displayed. This only happens on a fresh new Chrome instance; if another PDF is already opened in the Chrome’s lifetime, loading the attached file will not crash the tab. What is the expected behavior? All Tabs crash What went wrong? Explanation: The attached poc2.zip (password: infected) contains poc2.pdf which causes this issue when opened in Chrome. The PDF file is a simple wrapping around the malformed JPEG2000 image poc2.j2k (also in the ZIP file). The underlying bug is in OpenJPEG’s decoding which causes a use-after-free invalid memory access crash, and can be seen when running OpenJPEG’s opj_dump (or opj_decompress) on the poc2.j2k image file. Since the nature of the bug is the re-use of freed memory, the content of that free memory will determine if it’ll cause the JPEG2000 parser to crash or not. The problem stems from a realloc call (in j2k.c:5243) that frees the memory of m_mct_records and then allocates them in another place in the heap. However, m_mcc_records may contain pointers to m_mct_records (in the m_decorrelation_array and m_offset_array fields), and those pointers are not updated and remain pointing to the freed memory area. Example output: $ ./opj_dump -i poc2.j2k Crashed report ID: No How much crashed? Whole browser Is it a problem with a plugin? N/A Did this work before? N/A Chrome version: 55.0.2883.87 Channel: n/a OS Version: Windows 7 64 bit Flash Version: Credit to Dov Murik of IBM
,
Jan 9 2017
From my researcher: They conclude that the two issues are the same: while they look the same to the end-user, they crash in two different code locations and different crash reasons ( Issue 678342 is a null pointer dereference and Issue 678344 is a use-after-free memory access violation). |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ajha@chromium.org
, Jan 6 2017Mergedinto: 678342
Status: Duplicate (was: Unconfirmed)