Failure to check the return result of NewFxDynamicObj
Reported by
sljro...@gmail.com,
Aug 11 2017
|
||||||||
Issue descriptionAccording to this previous bug (https://pdfium-review.googlesource.com/c/2839), the NewFxDynamicObject() call in C++ does not necessarily properly initialize the internal fields of the corresponding constructor. In several files, NewFxDynamicObject() is called but the return result is not checked with a call to IsEmpty(). Here is the list of the files where the lack of IsEmpty() call might introduce an issue: https://pdfium.googlesource.com/pdfium/+/refs/changes/39/2839/2/fpdfsdk/javascript/global.cpp#212 https://pdfium.googlesource.com/pdfium/+/master/fpdfsdk/javascript/global.cpp#337 https://pdfium.googlesource.com/pdfium/+/master/fxjs/fxjs_v8.cpp#411 https://pdfium.googlesource.com/pdfium/+/master/fxjs/fxjs_v8.cpp#481 https://pdfium.googlesource.com/pdfium/+/master/fxjs/fxjs_v8_embeddertest.cpp#194
,
Aug 11 2017
Assigning sev high out of an abundance of caution, though I don't think there's an issue here.
,
Aug 12 2017
,
Aug 12 2017
,
Aug 14 2017
Here were talking about getting a NULL object (whereas https://pdfium-review.googlesource.com/c/2839 requires a non-NULL object with internal slots), and it looks like the worst that can happen is a fixed-offset NULL deref. Such crashes are functional bugs, not security issues. Still we should catch these, although I've not seen a lot of crash stats implicating these.
,
Aug 14 2017
,
Aug 14 2017
,
Aug 14 2017
,
Aug 15 2017
Thanks for taking care of this.
,
Aug 16 2017
https://pdfium.googlesource.com/pdfium/+/63b2fc7e0248d2112935775f52027a018b9aa737 |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by tsepez@chromium.org
, Aug 11 2017Status: Assigned (was: Unconfirmed)