Issue metadata
Sign in to add a comment
|
Security: PDFium calls opj_free() on heap memory returned by FX_Alloc()
Reported by
stackexp...@gmail.com,
Aug 7 2017
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Same like Issue 752829 but this time opj_free() tries to free heap memory returned by FX_Alloc(). This issue affects the following functions. 1. sycc444_to_rgb 2. sycc422_to_rgb 3. sycc420_to_rgb 4. color_apply_conversion Let's take function sycc422_to_rgb for example. In this function, the value of img->comps[*].data will be updated to a heap buffer returned by FX_Alloc. static void sycc422_to_rgb(opj_image_t* img) { // skipped... int *d0, *d1, *d2, *r, *g, *b; d0 = r = FX_Alloc(int, max_size.ValueOrDie()); d1 = g = FX_Alloc(int, max_size.ValueOrDie()); d2 = b = FX_Alloc(int, max_size.ValueOrDie()); // skipped... FX_Free(img->comps[0].data); img->comps[0].data = d0; // --> returned by FX_Alloc() FX_Free(img->comps[1].data); img->comps[1].data = d1; // --> returned by FX_Alloc() FX_Free(img->comps[2].data); img->comps[2].data = d2; // --> returned by FX_Alloc() // skipped... } However, in function opj_image_destroy of file image.c, the pointer will be freed by function opj_free(). void OPJ_CALLCONV opj_image_destroy(opj_image_t *image) { if(image) { if(image->comps) { OPJ_UINT32 compno; /* image components */ for(compno = 0; compno < image->numcomps; compno++) { opj_image_comp_t *image_comp = &(image->comps[compno]); if(image_comp->data) { opj_free(image_comp->data); // --> opj_free() } } opj_free(image->comps); } if(image->icc_profile_buf) { opj_free(image->icc_profile_buf); } opj_free(image); } } VERSION Chrome Version: latest pdfium Operating System: All REPRODUCTION CASE Same as Issue 752829 , by replace FX_Free with free in function sycc422_to_rgb, we can trigger the crash easily. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Aug 7 2017
A patch can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=752829#c5
,
Aug 7 2017
I'm going to dup this into 752829, and tackle it all at once. Its pretty much the same issue.
,
Nov 15 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by stackexp...@gmail.com
, Aug 7 2017