Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in blit_row_s32a_opaque
Reported by
zhouzhen...@gmail.com,
Jul 20 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test
The attached file crashes pdfium_test as follows:
Rendering PDF file /tmp/poc.pdf.
=================================================================
==9420==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000281f at pc 0x0000005cf591 bp 0x7ffdd1cd94a0 sp 0x7ffdd1cd9498
READ of size 16 at 0x62600000281f thread T0
#0 0x5cf590 in sse2::blit_row_s32a_opaque(unsigned int*, unsigned int const*, int, unsigned int) third_party/skia/src/opts/SkBlitRow_opts.h:135:19
#1 0xf7c55b in Sprite_D32_S32::blitRect(int, int, int, int) third_party/skia/src/core/SkSpriteBlitter_ARGB32.cpp:46:13
#2 0xbb7730 in blitrect third_party/skia/src/core/SkScan.cpp:22:14
#3 0xbb7730 in SkScan::FillIRect(SkIRect const&, SkRegion const*, SkBlitter*) third_party/skia/src/core/SkScan.cpp:33
#4 0xbb7c48 in SkScan::FillIRect(SkIRect const&, SkRasterClip const&, SkBlitter*) third_party/skia/src/core/SkScan.cpp:80:9
#5 0xae310f in SkDraw::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:1265:17
#6 0xf0338b in SkBitmapDevice::drawBitmap(SkBitmap const&, SkMatrix const&, SkPaint const&) third_party/skia/src/core/SkBitmapDevice.cpp:239:18
#7 0x9c6d95 in SkCanvas::onDrawBitmap(SkBitmap const&, float, float, SkPaint const*) third_party/skia/src/core/SkCanvas.cpp:2302:27
#8 0x172fbf4 in CFX_SkiaDeviceDriver::GetDIBits(CFX_RetainPtr<CFX_DIBitmap> const&, int, int) core/fxge/skia/fx_skia_device.cpp:1998:10
#9 0x130d694 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1574:16
#10 0x130bf3e in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1102:7
#11 0x130b9e5 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1077:5
#12 0x131581b in CPDF_RenderStatus::LoadSMask(CPDF_Dictionary*, FX_RECT*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:2635:10
#13 0x130e012 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1622:9
#14 0x130f695 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_Pause*) core/fpdfapi/render/cpdf_renderstatus.cpp:1131:7
#15 0x1307808 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:83:30
#16 0x5377fe in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) fpdfsdk/fpdfview.cpp:120:26
#17 0x536fda in FPDF_RenderPage_Retail fpdfsdk/fpdfview.cpp:1164:3
#18 0x536fda in FPDF_RenderPageBitmap fpdfsdk/fpdfview.cpp:904
#19 0x4fad12 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:938:5
#20 0x4fd1df in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:1166:9
#21 0x4fe44d in main samples/pdfium_test.cc:1307:5
#22 0x7f20b25a1f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
0x62600000281f is located 11 bytes to the right of 10004-byte region [0x626000000100,0x626000002814)
allocated by thread T0 here:
#0 0x4ca0a3 in __interceptor_malloc (/home/henices/repo/pdfium/out/asan/pdfium_test+0x4ca0a3)
#1 0x16a40fe in PartitionAllocGenericFlags third_party/base/allocator/partition_allocator/partition_alloc.h:787:18
#2 0x16a40fe in PartitionAllocGeneric third_party/base/allocator/partition_allocator/partition_alloc.h:808
#3 0x16a40fe in FX_SafeAlloc core/fxcrt/fx_memory.h:46
#4 0x16a40fe in CFX_DIBitmap::Create(int, int, FXDIB_Format, unsigned char*, int) core/fxge/dib/cfx_dibitmap.cpp:61
#5 0x1736006 in CFX_DefaultRenderDevice::Create(int, int, FXDIB_Format, CFX_RetainPtr<CFX_DIBitmap> const&) core/fxge/skia/fx_skia_device.cpp:2381:17
#6 0x1314d62 in CPDF_RenderStatus::LoadSMask(CPDF_Dictionary*, FX_RECT*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:2578:22
#7 0x130e012 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1622:9
#8 0x130f695 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_Pause*) core/fpdfapi/render/cpdf_renderstatus.cpp:1131:7
#9 0x1307808 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:83:30
#10 0x5377fe in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) fpdfsdk/fpdfview.cpp:120:26
#11 0x536fda in FPDF_RenderPage_Retail fpdfsdk/fpdfview.cpp:1164:3
#12 0x536fda in FPDF_RenderPageBitmap fpdfsdk/fpdfview.cpp:904
#13 0x4fad12 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*, FPDF_FORMFILLINFO_PDFiumTest&, int, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:938:5
#14 0x4fd1df in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:1166:9
#15 0x4fe44d in main samples/pdfium_test.cc:1307:5
#16 0x7f20b25a1f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/skia/src/opts/SkBlitRow_opts.h:135:19 in sse2::blit_row_s32a_opaque(unsigned int*, unsigned int const*, int, unsigned int)
Shadow bytes around the buggy address:
0x0c4c7fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff8500: 00 00 04[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9420==ABORTING
VERSION
latest asan build of pdfium_test (64-bit linux)
REPRODUCTION CASE
Attached in poc.pdf
,
Jul 20 2017
Certainly possible that there is a bug in the blit, but seems more likely that somewhere up-stack the caller is asking Skia to draw outside of legal bounds.
,
Jul 20 2017
It looks like the caller has enabled pdf_use_skia = true This option is not currently tested beyond making sure it compiles. pdf_use_skia_paths = true Is being tested though, but this does not call Skia from GetDIBits. What does args.gn in out/asan contain?
,
Jul 21 2017
args.gn use_goma = false # Googlers only. Make sure goma is installed and running first. is_debug = false # Enable debugging features. pdf_use_skia = true # Set true to enable experimental skia backend. pdf_use_skia_paths = false # Set true to enable experimental skia backend (paths only). enable_nacl = false pdf_enable_xfa = true # Set false to remove XFA support (implies JS support). pdf_enable_v8 = true # Set false to remove Javascript support. pdf_is_standalone = true # Set for a non-embedded build. is_component_build = false # Disable component build (must be false) clang_use_chrome_plugins = false # Currently must be false. use_sysroot = false # Currently must be false on Linux, but entirely omitted on windows. v8_static_library=true is_asan = true disable_libfuzzer=true
,
Jul 21 2017
pdf_use_skia = true # Set true to enable experimental skia backend. pdf_use_skia_paths = false # Set true to enable experimental skia backend (paths only). is not supported at this time. Use pdf_use_skia = false # Set true to enable experimental skia backend. pdf_use_skia_paths = true# Set true to enable experimental skia backend (paths only). instead
,
Oct 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Jul 20 2017Labels: Security_Severity-High Security_Impact-Stable OS-All Pri-1
Owner: reed@chromium.org
Status: Assigned (was: Unconfirmed)