Use-after-free in CFFL_InteractiveFormFiller::OnFormat
Reported by
manhluat...@gmail.com,
Jun 12 2017
|
|||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Steps to reproduce the problem: 1. Build pdfium master branch with XFA 2. ./pdfium_test ./poc.pdf 3. ASAN crash due to UAF What is the expected behavior? What went wrong? Works only for XFA built. https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp?sq=package:chromium&l=678 In |CFFL_InteractiveFormFiller::OnFormat|, there is AAction Format handler |pInterForm->OnFormat| in the middle of processing, so we can run v8 script here. As the previous reports 732039 and 732051, we can manage to delete an annot by calling |Field::removeField|. and later at 684th line, It tries to get |pWidget| again while it's been already freed earlier. https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp?sq=package:chromium&l=684 ... if (bFormatted) { pInterForm->ResetFieldAppearance(pWidget->GetFormField(), &sValue, true); pInterForm->UpdateField(pWidget->GetFormField()); } ... In POC, I would like to use `gc()` to garbage collect and we can see the bug clearly right after freeing. The poc.pdf is generated by given script in pdfium package |fixup_pdf_template.py|. * To Fix: - We can use ObservePtr for these pointers. Did this work before? N/A Chrome version: 58.0.3029.110 Channel: dev OS Version: OS X 10.12.5 Flash Version:
,
Jun 12 2017
Page 0 includes |MyField| widget.
JS Action:
this.getField("MyField").setFocus();
MyField's Format AAction:
this.baseURL+="1";
if(this.baseURL == "111"){
this.removeField("MyField");
gc();
}
Closing AAction Page 0:
this.getField("MyField").value = "trigger"; // to trigger CommitData, change annot's value to pass |if (IsDataChanged(pPageView))|
,
Jun 13 2017
,
Jun 13 2017
,
Jun 14 2017
thestig can you please take a look?
,
Jun 14 2017
Also XFA.
,
Jun 14 2017
Repros for me locally with XFA enabled.
,
Jun 14 2017
,
Jun 14 2017
,
Jun 15 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/b7384b5b997975c36bb37d25c63e2c900eca41f9 commit b7384b5b997975c36bb37d25c63e2c900eca41f9 Author: Lei Zhang <thestig@chromium.org> Date: Thu Jun 15 18:55:32 2017 Improve ObserverPtr usage in CFFL_InteractiveFormFiller. BUG= chromium:732322 Change-Id: I479f3edf48fcb2cac32d7fcb76651f9ad1246483 Reviewed-on: https://pdfium-review.googlesource.com/6553 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/b7384b5b997975c36bb37d25c63e2c900eca41f9/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp [modify] https://crrev.com/b7384b5b997975c36bb37d25c63e2c900eca41f9/fpdfsdk/formfiller/cffl_formfiller.cpp [modify] https://crrev.com/b7384b5b997975c36bb37d25c63e2c900eca41f9/fpdfsdk/formfiller/cffl_interactiveformfiller.h
,
Jun 15 2017
,
Jun 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a1d936022aea1afbfb396cc01da7ce031e08102f commit a1d936022aea1afbfb396cc01da7ce031e08102f Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org> Date: Thu Jun 15 20:24:26 2017 Roll src/third_party/pdfium/ 65a55343e..b7384b5b9 (3 commits) https://pdfium.googlesource.com/pdfium.git/+log/65a55343e623..b7384b5b9979 $ git log 65a55343e..b7384b5b9 --date=short --no-merges --format='%ad %ae %s' 2017-06-13 thestig Improve ObserverPtr usage in CFFL_InteractiveFormFiller. 2017-06-13 thestig Check for destroyed annotations in CPDFSDK_WidgetHandler::OnLoad(). 2017-06-13 thestig Add more checks for destroyed annotations in CFFL_FormFiller. Created with: roll-dep src/third_party/pdfium BUG= 732322 , 732039 , 732051 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Change-Id: I294c193c4276262e5503c4168254bef5ceb8577e Reviewed-on: https://chromium-review.googlesource.com/537339 Reviewed-by: <pdfium-deps-roller@chromium.org> Commit-Queue: <pdfium-deps-roller@chromium.org> Cr-Commit-Position: refs/heads/master@{#479811} [modify] https://crrev.com/a1d936022aea1afbfb396cc01da7ce031e08102f/DEPS
,
Jun 16 2017
,
Aug 1 2017
,
Aug 28 2017
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Aug 28 2017
Nice one! The VRP Panel decided to award $3,000 for this report; thank you!
,
Aug 29 2017
,
Sep 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 Deleted