New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 750576 link

Starred by 1 user
Status: WontFix
Owner:
caryclark@chromium.org
Last visit > 30 days ago
Closed: Jul 2017
Cc:
tsepez@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

heap-buffer-overflow in PDFium

Reported by yuanvi...@gmail.com, Jul 31 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
VULNERABILITY DETAILS
==86407:86407==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000022ddc at pc 0x0000030f38c6 bp 0x7fff29849220 sp 0x7fff29849218
READ of size 4 at 0x603000022ddc thread T0
    #0 0x30f38c5 in ClipRestore third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:1073:27
    #1 0x30f38c5 in CFX_SkiaDeviceDriver::RestoreState(bool) third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:1746
    #2 0x3085735 in CFX_RenderDevice::RestoreState(bool) third_party/pdfium/core/fxge/cfx_renderdevice.cpp:417:22
    #3 0x2ceafc3 in CPDF_RenderStatus::ProcessClipPath(CPDF_ClipPath, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1390:18
    #4 0x2ceaab6 in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1092:3
    #5 0x2cea5d2 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1068:5
    #6 0x2cf445c in CPDF_RenderStatus::LoadSMask(CPDF_Dictionary*, FX_RECT*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2623:10
    #7 0x2cecb64 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1613:9
    #8 0x2ceaad8 in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1093:7
    #9 0x2cea5d2 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1068:5
    #10 0x2cf16a0 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1274:12
    #11 0x2cedc3f in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1182:14
    #12 0x2cec9f9 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1603:17
    #13 0x2cee1af in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1122:7
    #14 0x2ce6842 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:81:30
    #15 0x1dc3e2f in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:127:26
    #16 0x1dc383e in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:1182:3
    #17 0x1db7ca8 in FPDF_RenderPageBitmap_Start third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
    #18 0x4fc379 in RenderPage third_party/pdfium/samples/pdfium_test.cc:1171:16
    #19 0x4fc379 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:1367
    #20 0x4f7a4a in main third_party/pdfium/samples/pdfium_test.cc:1526:5
    #21 0x7f289b81c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

0x603000022ddc is located 4 bytes to the left of 24-byte region [0x603000022de0,0x603000022df8)
allocated by thread T0 here:
    #0 0x4c9117 in __interceptor_realloc (/home/chrome/chromium/src/out/release/pdfium_test+0x4c9117)
    #1 0x22b4f3d in sk_realloc_throw(void*, unsigned long) skia/ext/SkMemory_new_handler.cpp:43:35
    #2 0x310592f in resizeStorageToAtLeast third_party/skia/include/pathops/../private/SkTDArray.h:384:22
    #3 0x310592f in setCount third_party/skia/include/pathops/../private/SkTDArray.h:156
    #4 0x310592f in adjustCount third_party/skia/include/pathops/../private/SkTDArray.h:369
    #5 0x310592f in append third_party/skia/include/pathops/../private/SkTDArray.h:182
    #6 0x310592f in append third_party/skia/include/pathops/../private/SkTDArray.h:174
    #7 0x310592f in push third_party/skia/include/pathops/../private/SkTDArray.h:291
    #8 0x310592f in SkiaState::SetClip(SkPath const&) third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:1000
    #9 0x30f49b3 in SkiaState::SetClipFill(CFX_PathData const*, CFX_Matrix const*, int) third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:976:12
    #10 0x30f3b12 in CFX_SkiaDeviceDriver::SetClip_PathFill(CFX_PathData const*, CFX_Matrix const*, int) third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:1800:27
    #11 0x308613b in CFX_RenderDevice::SetClip_PathFill(CFX_PathData const*, CFX_Matrix const*, int) third_party/pdfium/core/fxge/cfx_renderdevice.cpp:454:25
    #12 0x2ceae80 in CPDF_RenderStatus::ProcessClipPath(CPDF_ClipPath, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1413:18
    #13 0x2ceaab6 in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1092:3
    #14 0x2cea5d2 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1068:5
    #15 0x2cf445c in CPDF_RenderStatus::LoadSMask(CPDF_Dictionary*, FX_RECT*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2623:10
    #16 0x2cecb64 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1613:9
    #17 0x2ceaad8 in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1093:7
    #18 0x2cea5d2 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjectHolder const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1068:5
    #19 0x2cf16a0 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject const*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1274:12
    #20 0x2cedc3f in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1182:14
    #21 0x2cec9f9 in CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject*, CFX_Matrix const*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1603:17
    #22 0x2cee1af in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1122:7
    #23 0x2ce6842 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:81:30
    #24 0x1dc3e2f in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:127:26
    #25 0x1dc383e in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:1182:3
    #26 0x1db7ca8 in FPDF_RenderPageBitmap_Start third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
    #27 0x4fc379 in RenderPage third_party/pdfium/samples/pdfium_test.cc:1171:16
    #28 0x4fc379 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) third_party/pdfium/samples/pdfium_test.cc:1367
    #29 0x4f7a4a in main third_party/pdfium/samples/pdfium_test.cc:1526:5
    #30 0x7f289b81c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/pdfium/core/fxge/skia/fx_skia_device.cpp:1073:27 in ClipRestore
Shadow bytes around the buggy address:
  0x0c067fffc560: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffc570: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c067fffc580: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fa
  0x0c067fffc590: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
  0x0c067fffc5a0: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x0c067fffc5b0: fd fd fd fa fa fa fd fd fd fd fa[fa]00 00 00 fa
  0x0c067fffc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffc600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==86407:86407==ABORTING

VERSION
commit 224091ca04a0477907b9efb559391f2c5f6c125f

REPRODUCTION CASE
build pdfium_test with these options
```
is_asan = true
is_debug = false

pdf_use_skia = true
pdf_enable_v8 = true
pdf_enable_xfa = true
pdf_enable_xfa_bmp = true
pdf_enable_xfa_gif = true
pdf_enable_xfa_png = true
pdf_enable_xfa_tiff = true
```
./pdfium_test poc.pdf

What is the expected behavior?

What went wrong?
pdfium_test asan report heap-buffer-overflow

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 26.0 r0
Project Member

Comment 1 by ClusterFuzz, Jul 31 2017 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5465626109018112.

Comment 2 by vakh@chromium.org, Jul 31 2017

Cc: tsepez@chromium.org dsinclair@chromium.org
Components: Internals>Plugins>PDF

Comment 3 by vakh@chromium.org, Jul 31 2017

Owner: caryclark@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by caryclark@chromium.org, Jul 31 2017

Status: WontFix (was: Assigned)
pdf_use_skia = true

is not a supported option. To test Skia, please use

pdf_use_skia_paths = true
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 6 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment