Issue 704565 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 704442
Owner:	----
Closed:	Mar 2017
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Crash in CFX_SkiaDeviceDriver::RestoreStat

Reported by chromium...@gmail.com, Mar 23 2017

Issue description

VERSION
Chrome Version: 59.0.3049.0 
Operating System: Windows 7

REPRODUCTION CASE
1. Open a new tab (chrome://newtab)
2. Print the page >> crash


0:000> .ecxr
rax=ffffffffffffffff rbx=0000000000ab7d50 rcx=0000000001278e00
rdx=0000000000000000 rsi=00000000002fd501 rdi=00000000002fd2b8
rip=000007fee55c15aa rsp=00000000002fd170 rbp=00000000002fd230
 r8=00000000ffffffff  r9=00000000002fd2dc r10=00000000002fd2e0
r11=00000000002fd2d0 r12=0000000000000000 r13=00000000002fd408
r14=00000000002fd408 r15=0000000002542900
iopl=0         nv up ei ng nz ac po nc
cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010296
*** WARNING: Unable to verify checksum for chrome_child.dll
chrome_child!CFX_SkiaDeviceDriver::RestoreState+0x3a:
000007fe`e55c15aa 833c8200        cmp     dword ptr [rdx+rax*4],0 ds:ffffffff`fffffffc=????????
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`002fd170 000007fe`e55d49d7 chrome_child!CFX_SkiaDeviceDriver::RestoreState+0x3a [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fxge\skia\fx_skia_device.cpp @ 1369]
00000000`002fd1a0 000007fe`e55203c8 chrome_child!CFX_RenderDevice::RestoreState+0x13 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fxge\ge\cfx_renderdevice.cpp @ 409]
00000000`002fd1d0 000007fe`e552258c chrome_child!CPDF_RenderStatus::ProcessClipPath+0x80 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1381]
00000000`002fd270 000007fe`e55224e2 chrome_child!CPDF_RenderStatus::RenderSingleObject+0x74 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1075]
00000000`002fd2a0 000007fe`e55200e3 chrome_child!CPDF_RenderStatus::RenderObjectList+0x116 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1051]
00000000`002fd330 000007fe`e5521888 chrome_child!CPDF_RenderStatus::LoadSMask+0x5f7 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 2612]
00000000`002fd6a0 000007fe`e552259a chrome_child!CPDF_RenderStatus::ProcessTransparency+0x89c [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1590]
00000000`002fda40 000007fe`e55224e2 chrome_child!CPDF_RenderStatus::RenderSingleObject+0x82 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1075]
00000000`002fda70 000007fe`e55207ad chrome_child!CPDF_RenderStatus::RenderObjectList+0x116 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1051]
00000000`002fdb00 000007fe`e55208ac chrome_child!CPDF_RenderStatus::ProcessForm+0x1c1 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1257]
00000000`002fdcc0 000007fe`e5521801 chrome_child!CPDF_RenderStatus::ProcessObjectNoClip+0x58 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1166]
00000000`002fdcf0 000007fe`e551aa06 chrome_child!CPDF_RenderStatus::ProcessTransparency+0x815 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1582]
00000000`002fe090 000007fe`e54fd13b chrome_child!CPDF_RenderStatus::ContinueSingleObject+0x86 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_renderstatus.cpp @ 1104]
00000000`002fe0f0 000007fe`e54c9968 chrome_child!CPDF_ProgressiveRenderer::Continue+0x28b [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\core\fpdfapi\render\cpdf_progressiverenderer.cpp @ 78]
00000000`002fe200 000007fe`e54c92eb chrome_child!`anonymous namespace'::RenderPageImpl+0x2dc [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 131]
00000000`002fe290 000007fe`e54d17f6 chrome_child!FPDF_RenderPage_Retail+0x9b [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdfview.cpp @ 1024]
00000000`002fe310 000007fe`e47d4fac chrome_child!FPDF_RenderPageBitmap_Start+0x146 [c:\b\build\slave\win64-pgo\build\src\third_party\pdfium\fpdfsdk\fpdf_progressive.cpp @ 58]
00000000`002fe3a0 000007fe`e47da28b chrome_child!chrome_pdf::PDFiumEngine::ContinuePaint+0x128 [c:\b\build\slave\win64-pgo\build\src\pdf\pdfium\pdfium_engine.cc @ 2979]
00000000`002fe450 000007fe`e47e2c4a chrome_child!chrome_pdf::PDFiumEngine::Paint+0x1cb [c:\b\build\slave\win64-pgo\build\src\pdf\pdfium\pdfium_engine.cc @ 1108]
00000000`002fe590 000007fe`e47e9418 chrome_child!chrome_pdf::OutOfProcessInstance::OnPaint+0x1ba [c:\b\build\slave\win64-pgo\build\src\pdf\out_of_process_instance.cc @ 923]

access-violation on unknown address 0xfffffffc.txt
5.3 KB View Download

Comment 1 by rsesek@chromium.org, Mar 23 2017

Mergedinto: 704442
Status: Duplicate (was: Unconfirmed)

Project Member

Comment 2 by sheriffbot@chromium.org, Jun 30 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 704565 link

Issue metadata

Security: Crash in CFX_SkiaDeviceDriver::RestoreStat

Issue description

Comment 1 by rsesek@chromium.org, Mar 23 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jun 30 2017

Comment 2 Deleted

Sign in to add a comment