Security: Signed Integer Overflow in pdfium (openjpeg)
Reported by
c...@ecraig.com,
Jan 20 2017
|
||||||||||||||
Issue descriptionVULNERABILITY DETAILS A signed integer overflow exists in openjpeg code for determining tile counts. I have provided a few examples to show different resulting code paths but I have not confirmed if this can be used to influence code execution. The testcases should all hit the same underlying problem but demonstrate different resulting overflows. VERSION Chrome Version: ubsan-linux-release-444724.zip (pdfium_test) Operating System: Ubuntu Linux 16.04 REPRODUCTION CASE I have attached pdf inputs and pdfium_test outputs in a tgz.
,
Jan 21 2017
,
Jan 23 2017
Would it be possible to get Hanno Böck CC'd on this bug report? He was involved in getting a PDF testcase and is interested to see the process when submitting a UBSAN detected bug that has not been confirmed as security relevant. Hanno has contact information here in case you are unfamiliar: https://hboeck.de/en/contact.html
,
Jan 23 2017
,
Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5152891347402752
,
Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4563437855440896
,
Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5432625687953408
,
Jan 24 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5152891347402752 Job Type: linux_ubsan_pdfium Crash Type: Integer-overflow Crash Address: Crash State: opj_int_ceildiv opj_j2k_read_siz opj_j2k_read_header_procedure Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=370022:370027 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97G3reMjPfkQLv7OMPttqtXUobPXzwU-_XCnxMH9ayYYfc1ivWh4bXaE1VZztDSknEJyuf2HfgBrP3_q1uVWrZdJSIPdJngBvai64dxu9BXYlY-kIS4vN_oF4vBoF5ox7CyQBsV-ol60tTwgwtRbjVcN0wfiyDClCKZQ5Dmr8dYgCJmis167bMcZaOn-XqnLaRnmE4sRiy9uu6XMYB1waIq7E-zTavqMUUOLonLkAznQF_BjQZ6v4sHvSqouiY-8jEB9egNyeTL6Hn0q2jTs12yzsN34tWyJwx5hxFe2xiDc_M52wdUF8XDu-mFTTMplDQOIbHvO-cA9EbgpS-XwbCdOns88PpLK5kaWrcUAFvGGd98iEo?testcase_id=5152891347402752 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 24 2017
Something to nail down: whether or not this is a bug in OpenJPEG, or in PDFium's usage of that library. If it's in OpenJPEG, we'll need to report it to upstream, too. +tsepez from security.
,
Jan 24 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5432625687953408 Job Type: linux_ubsan_pdfium Crash Type: Integer-overflow Crash Address: Crash State: opj_int_ceildiv opj_j2k_read_siz opj_j2k_read_header_procedure Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=370022:370027 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Vw4gv4of-cQj2KV_Nz8CdVAvMnAQbSXGFBgJLnLSNlhK8gPWjuAO_RXIFcv8tEoThI-nDs1IybKDYQ0vJ0B65UrfJ5RZSC8bYO5fd5fwdf-p7PRPRXJOSt9rn-CcZSMzJplk_pAL16RALRW9y0ztBEZy3IL1Fyog0UBSOIOkhvRCehWAvF7-7R8qcNu1dYEzRHLe7yEOZLnabEpkhT6WYbxhzj7577uLr-n4mBwdD5wEGlLdBjQipESvCU6HzgMzZrusch1BRrHgQ45iBvBKvCqkGkSfEGoqyEh6-3pouvUni-SKekyeYuOtmVkQUVIVwbFxvjaLwXcj2Vq6MofmKxxBUgL6GFGh3XO1S-6_mP-SbBms?testcase_id=5432625687953408 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 24 2017
This was found initially by fuzzing a tool from OpenJPEG so it should be reported upstream.
,
Jan 24 2017
Tentatively assigning low severity since it's not clear if this is exploitable.
,
Jan 24 2017
Reported upstream[1], and CL up for review[2]. [1] https://github.com/uclouvain/openjpeg/issues/889 [2] https://pdfium-review.googlesource.com/c/2353/
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1b111b29a9371dd08dc96c6d72961fc23d3665b0 commit 1b111b29a9371dd08dc96c6d72961fc23d3665b0 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Wed Jan 25 05:18:20 2017 Roll src/third_party/pdfium/ 33316fccc..d198e406d (1 commit). https://pdfium.googlesource.com/pdfium.git/+log/33316fccc6a5..d198e406d13b $ git log 33316fccc..d198e406d --date=short --no-merges --format='%ad %ae %s' 2017-01-24 npm Use opj_uint_ceildiv where it is better than its int version BUG= 683156 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2649923014 Cr-Commit-Position: refs/heads/master@{#445956} [modify] https://crrev.com/1b111b29a9371dd08dc96c6d72961fc23d3665b0/DEPS
,
Jan 25 2017
,
Jan 25 2017
ClusterFuzz has detected this issue as fixed in range 445945:445971. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5152891347402752 Job Type: linux_ubsan_pdfium Crash Type: Integer-overflow Crash Address: Crash State: opj_int_ceildiv opj_j2k_read_siz opj_j2k_read_header_procedure Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=445945:445971 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97G3reMjPfkQLv7OMPttqtXUobPXzwU-_XCnxMH9ayYYfc1ivWh4bXaE1VZztDSknEJyuf2HfgBrP3_q1uVWrZdJSIPdJngBvai64dxu9BXYlY-kIS4vN_oF4vBoF5ox7CyQBsV-ol60tTwgwtRbjVcN0wfiyDClCKZQ5Dmr8dYgCJmis167bMcZaOn-XqnLaRnmE4sRiy9uu6XMYB1waIq7E-zTavqMUUOLonLkAznQF_BjQZ6v4sHvSqouiY-8jEB9egNyeTL6Hn0q2jTs12yzsN34tWyJwx5hxFe2xiDc_M52wdUF8XDu-mFTTMplDQOIbHvO-cA9EbgpS-XwbCdOns88PpLK5kaWrcUAFvGGd98iEo?testcase_id=5152891347402752 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 25 2017
ClusterFuzz has detected this issue as fixed in range 445945:445971. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5432625687953408 Job Type: linux_ubsan_pdfium Crash Type: Integer-overflow Crash Address: Crash State: opj_int_ceildiv opj_j2k_read_siz opj_j2k_read_header_procedure Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=370022:370027 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_pdfium&range=445945:445971 Minimized Testcase (1.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Vw4gv4of-cQj2KV_Nz8CdVAvMnAQbSXGFBgJLnLSNlhK8gPWjuAO_RXIFcv8tEoThI-nDs1IybKDYQ0vJ0B65UrfJ5RZSC8bYO5fd5fwdf-p7PRPRXJOSt9rn-CcZSMzJplk_pAL16RALRW9y0ztBEZy3IL1Fyog0UBSOIOkhvRCehWAvF7-7R8qcNu1dYEzRHLe7yEOZLnabEpkhT6WYbxhzj7577uLr-n4mBwdD5wEGlLdBjQipESvCU6HzgMzZrusch1BRrHgQ45iBvBKvCqkGkSfEGoqyEh6-3pouvUni-SKekyeYuOtmVkQUVIVwbFxvjaLwXcj2Vq6MofmKxxBUgL6GFGh3XO1S-6_mP-SbBms?testcase_id=5432625687953408 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 25 2017
ClusterFuzz testcase 5152891347402752 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 26 2017
,
May 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by tsepez@chromium.org
, Jan 20 2017