UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/602.3.12 (KHTML, like Gecko) Version/10.0.2 Safari/602.3.12

Steps to reproduce the problem:
Summary of the issue:
A specially-crafted PDF file which contains a specially-crafted illegal JPEG2000 image will cause Chrome’s PDF viewer (pdfium) to crash and show the sad tab icon on a black background. No “Failed to load PDF document” error is displayed. This only happens on a fresh new Chrome instance; if another PDF is already opened in the Chrome’s lifetime, loading the attached file will not crash the tab.

What is the expected behavior?
All Tabs crash

What went wrong?
Explanation:
The attached poc2.zip (password: infected) contains poc2.pdf which causes this issue when opened in Chrome. The PDF file is a simple wrapping around the malformed JPEG2000 image poc2.j2k (also in the ZIP file).
The underlying bug is in OpenJPEG’s decoding which causes a use-after-free invalid memory access crash, and can be seen when running OpenJPEG’s opj_dump (or opj_decompress) on the poc2.j2k image file. Since the nature of the bug is the re-use of freed memory, the content of that free memory will determine if it’ll cause the JPEG2000 parser to crash or not.
The problem stems from a realloc call (in j2k.c:5243) that frees the memory of m_mct_records and then allocates them in another place in the heap. However, m_mcc_records may contain pointers to m_mct_records (in the m_decorrelation_array and m_offset_array fields), and those pointers are not updated and remain pointing to the freed memory area.
Example output:
$ ./opj_dump -i poc2.j2k

Crashed report ID: No

How much crashed? Whole browser

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 55.0.2883.87  Channel: n/a
OS Version: Windows 7 64 bit
Flash Version: 

Credit to Dov Murik of IBM
 

Deleted: vulnerability-disclosure-2-google-chrome.docx 17.0 KB

vulnerability-disclosure-2-google-chrome.docx 17.0 KB Download

Deleted: poc2.zip 1.3 KB

poc2.zip 1.3 KB Download