New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Closed: Mar 2017
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 695826: Security: type confusion in JSPropGetter of pdfium

Reported by, Feb 24 2017

Issue description

embed the following simple JavaScript into a PDF
var obj = new this.constructor;;
open it in Chrome, you'll see the crashed pdfviewer plugin

the constructor of the document object(or app,console,global etc) should not been exported to user JavaScript. when an object is created with these constructors, the internal fields of the objects is not initialized, call any access property will cause a type confusion. the crash is as follows:
Program received signal SIGSEGV, Segmentation fault.
0x000000000078c8f5 in std::unique_ptr<CJS_EmbedObj, std::default_delete<CJS_EmbedObj> >::get (this=0xe97ff80000000008)
    at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:217
217	      { return std::get<0>(_M_t); }
(gdb) bt
#0  0x000000000078c8f5 in std::unique_ptr<CJS_EmbedObj, std::default_delete<CJS_EmbedObj> >::get (this=0xe97ff80000000008)
    at ../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/unique_ptr.h:217
#1  0x000000000078c719 in CJS_Object::GetEmbedObject (this=0xe97ff80000000000) at ../../third_party/pdfium/fpdfsdk/javascript/JS_Object.h:47	
#2  0x00000000007c111b in JSPropGetter<Document, &Document::author> (prop_name_string=0x91ad23 "author", class_name_string=0x91ad1a "Document", property=..., info=...)
    at ../../third_party/pdfium/fpdfsdk/javascript/JS_Define.h:84
#3  0x00000000007bcf41 in CJS_Document::get_author_static (property=..., info=...) at ../../third_party/pdfium/fpdfsdk/javascript/Document.h:306
#4  0x00007ffff747d46d in v8::internal::PropertyCallbackArguments::Call (this=<optimized out>, f=<optimized out>, name=...) at ../../v8/src/api-arguments-inl.h:32
#5  0x00007ffff7529de7 in v8::internal::Object::GetPropertyWithAccessor (it=<optimized out>) at ../../v8/src/
#6  0x00007ffff7529079 in v8::internal::Object::GetProperty (it=<optimized out>) at ../../v8/src/
#7  0x00007ffff7465c93 in v8::internal::LoadIC::Load (this=<optimized out>, object=..., name=...) at ../../v8/src/ic/
#8  0x00007ffff7472c37 in v8::internal::__RT_impl_Runtime_LoadIC_Miss (args=..., isolate=<optimized out>) at ../../v8/src/ic/
#9  0x00007ffff747280a in v8::internal::Runtime_LoadIC_Miss (args_length=<optimized out>, args_object=<optimized out>, isolate=<optimized out>)
    at ../../v8/src/ic/

a poc is attached as poc1.pdf

Chrome Version: [56.0.2924.87] + [stable]
Operating System: [any]
948 bytes Download

Comment 1 by, Feb 24 2017

Components: Internals>Plugins>PDF
Labels: Security_Impact-Stable
Status: Assigned (was: Unconfirmed)
jochen@, can you please take a look at this as it is V8 and PDFium? Also can you triage as I am not sure what the implication of a type confusion here is?

Comment 2 by, Feb 24 2017

CL up at, which fixes the initialization issue.  Hiding the constructor seems more difficult.

Comment 3 by, Feb 24 2017

Labels: Security_Severity-High
Probably sev high, bad address is uninitialized, and attacker may have some control over it via spraying, etc.

Comment 4 by, Feb 25 2017

Project Member
Labels: M-56

Comment 5 by, Feb 25 2017

Project Member
Labels: Pri-1

Comment 6 by, Feb 25 2017

Labels: OS-All

Comment 7 by, Feb 27 2017

CL landed, but over to jochen to check.

Comment 8 by, Feb 27 2017

Project Member
The following revision refers to this bug:

commit 4d175c2a5ab773d3d65acdf915149bef17ef2371
Author: pdfium-deps-roller <>
Date: Mon Feb 27 21:22:29 2017

Roll src/third_party/pdfium/ 73c9f3bb3..9162ff85c (2 commits).

$ git log 73c9f3bb3..9162ff85c --date=short --no-merges --format='%ad %ae %s'
2017-02-24 thestig Fix nits from commit db764708.
2017-02-24 tsepez Fix uninitialized memory read in CJS_Object::GetEmbedObject()

Created with:
  roll-dep src/third_party/pdfium
BUG= 695826 

Documentation for the AutoRoller is here:

If the roll is causing failures, see:

Cr-Commit-Position: refs/heads/master@{#453341}


Comment 9 by, Feb 27 2017

Labels: M-57 M-58
We should merge to M57 once we verify the fix.

Comment 10 by, Mar 6 2017


Comment 11 by, Mar 10 2017

Project Member
Labels: -M-56

Comment 12 by, Mar 14 2017

Project Member
tsepez: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit - Your friendly Sheriffbot

Comment 13 by, Mar 14 2017

Labels: Merge-Request-57
Status: Fixed (was: Assigned)

Comment 14 by, Mar 14 2017

Project Member
Labels: -Merge-Request-57 Hotlist-Merge-Review Merge-Review-57
This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit - Your friendly Sheriffbot

Comment 15 by, Mar 14 2017

+  awhalley@ for M57 merge review. Please note M57 is already in stable and we're only taking critical and safe merges in. Thank you.

Comment 16 by, Mar 14 2017

There might be a 57 spin early next week, at which point this will have had the required 48 hours in Beta for a stable merge and we should take it.

Note *please* mark bugs as fixed when the fix lands - otherwise it gets missed in the queries that help ensure security bugs get merged as needed.  Thanks!

Comment 17 by, Mar 15 2017

There is another security bug labeled with M-57, Maybe you should consider it too.

Comment 18 by, Mar 15 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by, Mar 21 2017

Labels: reward-topanel

Comment 20 by, Mar 22 2017

govind@ - good for 57

Comment 21 by, Mar 22 2017

Labels: -Merge-Review-57 Merge-Approved-57
Approved for 57.  We're cutting our next candidate in a couple hours, please merge immediately.

Comment 22 by, Mar 22 2017

Labels: -M-57 -Merge-Approved-57
Unfortunately this didn't merge cleanly and the trybots were having problems (though it built locally) - not picking up in 57 out of an abundance of caution.

Comment 23 by, Mar 31 2017

Labels: -Hotlist-Merge-Review

Comment 24 by, Mar 31 2017

Labels: -reward-topanel reward-unpaid reward-3000

Comment 25 by, Mar 31 2017

Nice one! The panel decided to award $3,000 for this bug - cheers!

Comment 26 by, Mar 31 2017

Labels: -reward-unpaid reward-inprocess

Comment 27 by, Apr 18 2017

Labels: Release-0-M58

Comment 28 by, Apr 19 2017

Labels: CVE-2017-5057

Comment 29 by, Jun 21 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 30 by, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment