Issue 724329 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	May 2017
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	----
Type:	Bug-Security
allpublic

Security: Heap-use-after-free in pdfium

Reported by chromium...@gmail.com, May 19 2017

Issue description

VERSION
Chrome Version: 60.0.3104 Dev build 
Operating System: All 

REPRODUCTION CASE
1. Lunch the test case 
2. Wait >> Crash
=================================================================
==4808==ERROR: AddressSanitizer: heap-use-after-free on address 0x036093c0 at pc 0x17e3a4e6 bp 0x00aac95c sp 0x00aac950
READ of size 4 at 0x036093c0 thread T0
    #0 0x17e3a4e5  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b8a4e5)
    #1 0x17e3a2a2  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b8a2a2)
    #2 0x178ec6aa  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863c6aa)
    #3 0x178e9440  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18639440)
    #4 0x178e923a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863923a)
    #5 0x178ddc6a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1862dc6a)
    #6 0x178da00a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1862a00a)
    #7 0x178ba22b  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1860a22b)
    #8 0x17885767  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185d5767)
    #9 0x1787b2a3  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185cb2a3)
    #10 0x1787cd22  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185ccd22)
    #11 0x1787bea5  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185cbea5)
    #12 0x1785cb52  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185acb52)
    #13 0x1783d6e1  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1858d6e1)
    #14 0x177ebf8d  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1853bf8d)
    #15 0x177ec7a2  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1853c7a2)
    #16 0x17823726  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18573726)
    #17 0x1224776f  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x12f9776f)
    #18 0x189ad8fa  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x196fd8fa)
    #19 0x16af234f  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1784234f)
    #20 0x16af1f1a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x17841f1a)
    #21 0x16aefafd  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1783fafd)
    #22 0x16a7c281  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x177cc281)
    #23 0x12b97ef9  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x138e7ef9)
    #24 0x172822cc  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x17fd22cc)
    #25 0x12796546  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x134e6546)
    #26 0x126434a0  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x133934a0)
    #27 0x1264483b  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1339483b)
    #28 0x12645436  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13395436)
    #29 0x1279cb1a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x134ecb1a)
    #30 0x12642494  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13392494)
    #31 0x126dc3eb  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1342c3eb)
    #32 0x1215151b  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x12ea151b)
    #33 0x124f7f34  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13247f34)
    #34 0x124f9527  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13249527)
    #35 0x12507108  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13257108)
    #36 0x124f7c18  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x13247c18)
    #37 0xf2b1262  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x10001262)
    #38 0xea165  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome.exe+0x40a165)
    #39 0xe1b84  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome.exe+0x401b84)
    #40 0x3533fa  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome.exe+0x6733fa)
    #41 0x75283676  (C:\Windows\syswow64\kernel32.dll+0x7dd73676)
    #42 0x77219d71  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d71)
    #43 0x77219d44  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d44)

0x036093c0 is located 0 bytes inside of 248-byte region [0x036093c0,0x036094b8)
freed by thread T0 here:
    #0 0x3422f8  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome.exe+0x6622f8)
    #1 0x17e3a2f2  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b8a2f2)
    #2 0x17e21ddd  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b71ddd)
    #3 0x178ec680  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863c680)
    #4 0x178e9440  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18639440)
    #5 0x178e923a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863923a)
    #6 0x178ddc6a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1862dc6a)
    #7 0x178da00a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1862a00a)
    #8 0x178ba22b  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1860a22b)
    #9 0x17885767  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185d5767)
    #10 0x1787b2a3  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185cb2a3)
    #11 0x1787cd22  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185ccd22)
    #12 0x1787bea5  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185cbea5)
    #13 0x1785cb52  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185acb52)
    #14 0x1783d6e1  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1858d6e1)
    #15 0x177ebf8d  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1853bf8d)
    #16 0x177ec7a2  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1853c7a2)
    #17 0x17823726  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18573726)
    #18 0x1224776f  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x12f9776f)
    #19 0x189ad8fa  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x196fd8fa)
    #20 0x16af234f  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1784234f)
    #21 0x16af1f1a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x17841f1a)
    #22 0x16aefafd  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1783fafd)
    #23 0x16a7c281  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x177cc281)
    #24 0x12b97ef9  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x138e7ef9)
    #25 0x172822cc  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x17fd22cc)
    #26 0x12796546  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x134e6546)
    #27 0x126434a0  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x133934a0)
    #28 0x1264483b  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1339483b)

previously allocated by thread T0 here:
    #0 0x3423dc  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome.exe+0x6623dc)
    #1 0x1c98e2fd  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1d6de2fd)
    #2 0x17e37f4d  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b87f4d)
    #3 0x17e21336  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b71336)
    #4 0x178e7d14  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18637d14)
    #5 0x178ecd6a  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863cd6a)
    #6 0x178ef0e0  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1863f0e0)
    #7 0x178dc480  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x1862c480)
    #8 0x1787dbca  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x185cdbca)
    #9 0x17d9f910  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18aef910)
    #10 0x17dba4c2  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b0a4c2)
    #11 0x17d8a7f6  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18ada7f6)
    #12 0xfdb09c8  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x10b009c8)
    #13 0xfffdd12  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x10d4dd12)
    #14 0xfffaa21  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x10d4aa21)
    #15 0xfff9e71  (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x10d49e71)

SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\admin\Desktop\asan-win32-release-472910\chrome_child.dll+0x18b8a4e5)
Shadow bytes around the buggy address:
  0x306c1220: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x306c1230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x306c1240: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x306c1250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x306c1260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
=>0x306c1270: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x306c1280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x306c1290: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x306c12a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x306c12b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x306c12c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4808==ABORTING

test.pdf
2.9 KB Download

Comment 1 by chromium...@gmail.com, May 19 2017

Not enable to repro this on the latest version of Chromium. Please marke this issue as Wontfix.

Comment 2 by aarya@google.com, May 19 2017

Status: WontFix (was: Unconfirmed)

Project Member

Comment 3 by sheriffbot@chromium.org, Aug 25 2017

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 724329 link

Issue metadata

Security: Heap-use-after-free in pdfium

Issue description

Comment 1 by chromium...@gmail.com, May 19 2017

Comment 1 Deleted

Comment 2 by aarya@google.com, May 19 2017

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Aug 25 2017

Comment 3 Deleted

Sign in to add a comment