New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Jun 29
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Stack overflow write (in fpdf_flatten.cpp)
Reported by look.wan...@gmail.com, Jun 13 Back to list
Version:
asan-linux-stable-59.0.3071.86
Version 59.0.3071.86 (Official Build) (64-bit) (On Windows 10)


Root cause:
https://cs.chromium.org/chromium/src/third_party/pdfium/fpdfsdk/fpdf_flatten.cpp?gsn=ParserAnnots&l=313

 if (nStreams > 0) {
    for (int iKey = 0; /*iKey < 100*/; iKey++) {
      char sExtend[5] = {};
      FXSYS_itoa(iKey, sExtend, 10);
      key = CFX_ByteString("FFT") + CFX_ByteString(sExtend);
      if (!pPageXObject->KeyExist(key))
        break;
    }
  }

Buffer "sExtend" could be overflowed.

Reproduction case:
There are two pocs in uploaded zip file: smallpoc.pdf  and largepoc.pdf.
Use smallpoc.pdf for asan-linux-stable-59.0.3071.86 to faster trigger buffer-overflow.

1)asan-linux-stable-59.0.3071.86:
  Open smallpoc.pdf and wait for a few seconds (maybe 10s) for chrome to load it completely;
  Click "print" icon on top-right corner and wait for a few seconds(maybe 10s):
  ==6113==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0f2f8f79d5 at pc 0x55a05e6ce298 bp 0x7ffd6b0e5100 sp 0x7ffd6b0e50f8
WRITE of size 1 at 0x7f0f2f8f79d5 thread T0 (chrome)
    #0 0x55a05e6ce297  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x136f1297)
    #1 0x55a05e65466c  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x1367766c)
    #2 0x55a05e5ee1dc  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x136111dc)
    #3 0x55a05e5ebc67  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x1360ec67)
    #4 0x55a05e5eb25a  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x1360e25a)
    #5 0x55a05e62f4af  (/home/test/work/asan-linux-stable-59.0.3071.86/chrome+0x136524af)

2) Version 59.0.3071.86 (Official Build) (64-bit) (On Windows 10):
   Open largepoc.pdf and wait for a few seconds (maybe 60s) for chrome to load it completely;
   Click "print" icon on top-right corner and wait for a few seconds(maybe 60s):
   tab would crash(detected by stack protection).


My computer is a little old, every step should be faster on your computer.
 
pocs.zip
26.0 MB Download
Comment 1 Deleted
Components: Internals>Plugins>PDF
Project Member Comment 3 by clusterf...@chromium.org, Jun 13
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5817377630715904
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Labels: Security_Severity-High Security_Impact-Stable
Owner: thestig@chromium.org
Status: Assigned
thestig, can you please take a look?
Nice find. The iKey < 100 comparision is commented out.
Just some luck. (*^_^*)

Labels: Pri-1
Status: Started
I guess this will do: https://pdfium-review.googlesource.com/6555
Project Member Comment 9 by sheriffbot@chromium.org, Jun 14
Labels: M-59
Project Member Comment 10 by bugdroid1@chromium.org, Jun 14
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/f0f2a2a528e154b8ceeded297abc3a64007850f8

commit f0f2a2a528e154b8ceeded297abc3a64007850f8
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Jun 14 13:24:21 2017

Fix a buffer overflow in FPDFPage_Flatten().

BUG= chromium:732661 

Change-Id: Ie11a7d97db97ac969fb6230956efbf21c2ed3d87
Reviewed-on: https://pdfium-review.googlesource.com/6555
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

[modify] https://crrev.com/f0f2a2a528e154b8ceeded297abc3a64007850f8/fpdfsdk/fpdf_flatten.cpp

Project Member Comment 11 by bugdroid1@chromium.org, Jun 14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/45576f3a4a01bf8095a8934f8851983a93e31825

commit 45576f3a4a01bf8095a8934f8851983a93e31825
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Wed Jun 14 17:19:20 2017

Roll src/third_party/pdfium/ 957480c17..f0f2a2a52 (4 commits)

https://pdfium.googlesource.com/pdfium.git/+log/957480c17682..f0f2a2a528e1

$ git log 957480c17..f0f2a2a52 --date=short --no-merges --format='%ad %ae %s'
2017-06-13 thestig Fix a buffer overflow in FPDFPage_Flatten().
2017-06-13 thestig Fix some nits in CFFL_InteractiveFormFiller.
2017-06-13 thestig Remove deprecated FPDPage_HasFormFieldAtPoint().
2017-06-13 thestig Fix bad format string in CXFA_FM2JSContext.

Created with:
  roll-dep src/third_party/pdfium
BUG= 732661 , 732533 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I7e46b976b0bf8b8de2df9e9f77d5ba2957698833
Reviewed-on: https://chromium-review.googlesource.com/534941
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#479430}
[modify] https://crrev.com/45576f3a4a01bf8095a8934f8851983a93e31825/DEPS

Cc: awhalley@chromium.org
Labels: M-60
awhalley: Shall we consider merging this to M59 and M60?
awhalley: Ping
Labels: -M-59 Merge-Request-60
Thanks for the ping, sorry. We should certainly take this in 60.
Project Member Comment 15 by sheriffbot@chromium.org, Jun 28
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Jun 29
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 17 by sheriffbot@chromium.org, Jun 30
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Merge-Review-60 Merge-Approved-60
This bug meets the bar for merge to M60. Approving merge. (branch: 3112)
Project Member Comment 19 by bugdroid1@chromium.org, Jul 1
Labels: -merge-approved-60 merge-merged-3112
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/46e8ecf84c0227298c5aca8ea587bd6b2bce4c87

commit 46e8ecf84c0227298c5aca8ea587bd6b2bce4c87
Author: Lei Zhang <thestig@chromium.org>
Date: Sat Jul 01 01:19:54 2017

M60: Fix a buffer overflow in FPDFPage_Flatten().

BUG= chromium:732661 
TBR=dsinclair@chromium.org

Change-Id: Ie11a7d97db97ac969fb6230956efbf21c2ed3d87
Reviewed-on: https://pdfium-review.googlesource.com/6555
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
(cherry picked from commit f0f2a2a528e154b8ceeded297abc3a64007850f8)
Reviewed-on: https://pdfium-review.googlesource.com/7231
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/46e8ecf84c0227298c5aca8ea587bd6b2bce4c87/fpdfsdk/fpdf_flatten.cpp

Labels: reward-topanel
Labels: Release-0-M60
Labels: -reward-topanel reward-unpaid reward-1000
Hi look.wangluke@! Thanks for the report. The VRP panel decided to award $1,000 for this report, but would reconsider for a higher amount if you could show how to trigger the bug requiring the user to print manually.
Labels: -reward-unpaid reward-inprocess
It's easy to trigger the bug without user interaction:
Just embed js "app.setTimeOut("this.print()", 20000);" in the pdf.

(Tested under asan-linux-stable-59.0.3071.86)

smallpoc.pdf
16.6 MB Download
After loading, wait for about 20s
Labels: CVE-2017-5095
thanks look.wangluke@ - will send back to the panel
Labels: -Reward-1000 -reward-inprocess reward-3000 reward-unpaid
And they decided to increase the reward to $3,000!
Labels: -reward-unpaid reward-inprocess
tks!
Project Member Comment 32 by sheriffbot@chromium.org, Oct 6
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment