New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Dec 5
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Sign in to add a comment

SEGV in CFX_ImageTransformer::Continue

Reported by, Dec 1 Back to list

Issue description

Tested on:

OS: Ubuntu 16.04
Chrome: ASAN build asan-linux-release-520556

Easiest(manual) way to reproduce this issue is to open the attached PDF file in ASAN built Chrome and press "Fit to page" button.

You can also load the PDF to an iframe of correct size, with the following HTML:

<iframe width="700" height="1000" src="./head-use-after-free-FXImageTransformerContinue.pdf"></iframe>

Note: Size 700x1000 worked for me, might depend on screen resolution. 

As the crash doesn't take down the tab, only the iframe where the PDF was loaded, you can also reproduce this issue multiple times in a row with a simple javascript: setTimeout(function(){location.reload()},1000)

ASAN-trace from Chrome:

==12270==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4d443af316 (pc 0x560ce5afdfee bp 0x7ffc56eb4270 sp 0x7ffc56eb3f80 T0)
==12270==The signal is caused by a READ memory access.
    #0 0x560ce5afdfed in CFX_ImageTransformer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:805:42
    #1 0x560ce5aef01c in CFX_ImageRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fxge/dib/cfx_imagerenderer.cpp:95:23
    #2 0x560ce5839773 in CPDF_ImageRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:544:48
    #3 0x560ce5803fda in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1108:27
    #4 0x560ce57fb9c0 in CPDF_ProgressiveRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #5 0x560ce55e4306 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:129:26
    #6 0x560ce55e3bde in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:1266:3
    #7 0x560ce5591af2 in FPDF_RenderPageBitmap_Start third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
    #8 0x560ce5523e31 in chrome_pdf::PDFiumEngine::ContinuePaint(int, pp::ImageData*) pdf/pdfium/
    #9 0x560ce5522d12 in chrome_pdf::PDFiumEngine::Paint(pp::Rect const&, pp::ImageData*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) pdf/pdfium/
    #10 0x560ce54f6663 in chrome_pdf::OutOfProcessInstance::OnPaint(std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> > const&, std::__1::vector<PaintManager::ReadyRect, std::__1::allocator<PaintManager::ReadyRect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) pdf/
    #11 0x560ce550f5a5 in PaintManager::DoPaint() pdf/
    #12 0x560ce5511d78 in PaintManager::OnFlushComplete(int) pdf/
    #13 0x560ce5511f53 in operator() ppapi/utility/completion_callback_factory.h:607:9
    #14 0x560ce5511f53 in pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::Dispatcher0<void (PaintManager::*)(int)> >::Thunk(void*, int) ppapi/utility/completion_callback_factory.h:584
    #15 0x560cd96acf6c in PP_RunCompletionCallback ppapi/c/pp_completion_callback.h:240:3
    #16 0x560cd96acf6c in CallWhileUnlocked<void, PP_CompletionCallback *, int, PP_CompletionCallback *, int> ppapi/shared_impl/proxy_lock.h:135
    #17 0x560cd96acf6c in ppapi::TrackedCallback::Run(int) ppapi/shared_impl/
    #18 0x560ce253066c in Run base/callback.h:94:12
    #19 0x560ce253066c in DispatchResourceReplyImpl<base::RepeatingCallback<void (const ppapi::proxy::ResourceMessageReplyParams &)> &, std::__1::tuple<>> ppapi/proxy/dispatch_reply_message.h:56
    #20 0x560ce253066c in DispatchResourceReply<base::RepeatingCallback<void (const ppapi::proxy::ResourceMessageReplyParams &)> &, std::__1::tuple<> > ppapi/proxy/dispatch_reply_message.h:69
    #21 0x560ce253066c in DispatchResourceReplyOrDefaultParams<IPC::MessageT<PpapiPluginMsg_Graphics2D_FlushAck_Meta>, base::RepeatingCallback<void (const ppapi::proxy::ResourceMessageReplyParams &)> &> ppapi/proxy/dispatch_reply_message.h:152
    #22 0x560ce253066c in ppapi::proxy::PluginResourceCallback<IPC::MessageT<PpapiPluginMsg_Graphics2D_FlushAck_Meta, std::__1::tuple<>, void>, base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)> >::Run(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ppapi/proxy/plugin_resource_callback.h:39
    #23 0x560ce2445718 in ppapi::proxy::PluginResource::OnReplyReceived(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ppapi/proxy/
    #24 0x560ce244381f in ppapi::proxy::PluginMessageFilter::DispatchResourceReply(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ppapi/proxy/
    #25 0x560cd4638fb4 in Run base/callback.h:65:12
    #26 0x560cd4638fb4 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/
    #27 0x560cd46aaf9e in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/
    #28 0x560cd46ac5ba in DeferOrRunPendingTask base/message_loop/
    #29 0x560cd46ac5ba in base::MessageLoop::DoWork() base/message_loop/
    #30 0x560cd46b515f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/
    #31 0x560cd47415ce in base::RunLoop::Run() base/
    #32 0x560cd37158e6 in content::PpapiPluginMain(content::MainFunctionParams const&) content/ppapi_plugin/
    #33 0x560cd3a797b9 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/
    #34 0x560cd3a7d558 in content::ContentMainRunnerImpl::Run() content/app/
    #35 0x560cd3aa6c1c in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/
    #36 0x560cd3a78e43 in content::ContentMain(content::ContentMainParams const&) content/app/
    #37 0x560ccd2c9d26 in ChromeMain chrome/app/
    #38 0x7f4d11d1c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:805:42 in CFX_ImageTransformer::Continue(IFX_PauseIndicator*)

Note: I found this issue using pdfium_fuzzer, bundled in Chromium source code. pdfium_fuzzer reports this issue as an use-after-free instead of SEGV.

Running: head-use-after-free-FXImageTransformerContinue.pdf
==15423==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fbaa7ad35b4 at pc 0x0000031a833e bp 0x7fff67a70770 sp 0x7fff67a70768
READ of size 1 at 0x7fbaa7ad35b4 thread T0
    #0 0x31a833d in CFX_ImageTransformer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:805:42
    #1 0x319121c in CFX_ImageRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fxge/dib/cfx_imagerenderer.cpp:95:23
    #2 0x2e605d3 in CPDF_ImageRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:544:48
    #3 0x2e2ae3a in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1108:27
    #4 0x2e22820 in CPDF_ProgressiveRenderer::Continue(IFX_PauseIndicator*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #5 0x2a884e6 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/fpdfview.cpp:129:26
0x7fbaa7ad35b4 is located 15796 bytes inside of 196608-byte region [0x7fbaa7acf800,0x7fbaa7aff800)
freed by thread T0 here:
    #0 0xa70562 in __interceptor_free /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/
    #1 0x3196f79 in PartitionFree third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:755:3
    #2 0x3196f79 in FX_Free third_party/pdfium/core/fxcrt/fx_memory.h:116
    #3 0x3196f79 in operator() third_party/pdfium/core/fxcrt/fx_memory.h:136
    #4 0x3196f79 in reset buildtools/third_party/libc++/trunk/include/memory:2546
    #5 0x3196f79 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2500
    #6 0x3196f79 in CFX_ImageStretcher::~CFX_ImageStretcher() third_party/pdfium/core/fxge/dib/cfx_imagestretcher.cpp:63
previously allocated by thread T0 here:
    #0 0xa708a3 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/
    #1 0x3197f18 in PartitionAllocGenericFlags third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:787:18
    #2 0x3197f18 in FX_SafeAlloc third_party/pdfium/core/fxcrt/fx_memory.h:46
    #3 0x3197f18 in FX_AllocOrDie third_party/pdfium/core/fxcrt/fx_memory.h:67
    #4 0x3197f18 in CFX_ImageStretcher::StartQuickStretch() third_party/pdfium/core/fxge/dib/cfx_imagestretcher.cpp:163
    #5 0x3197a9c in CFX_ImageStretcher::Start() third_party/pdfium/core/fxge/dib/cfx_imagestretcher.cpp:122:12
    #6 0x3199d39 in CFX_ImageTransformer::CFX_ImageTransformer(fxcrt::RetainPtr<CFX_DIBSource> const&, CFX_Matrix const*, int, FX_RECT const*) third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:240:16
SUMMARY: AddressSanitizer: heap-use-after-free third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:805:42 in CFX_ImageTransformer::Continue(IFX_PauseIndicator*)

Adding the promised attachment
916 bytes Download
Project Member

Comment 2 by ClusterFuzz, Dec 1

ClusterFuzz is analyzing your testcase. Developers can follow the progress at
Project Member

Comment 3 by ClusterFuzz, Dec 1

ClusterFuzz is analyzing your testcase. Developers can follow the progress at
Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Pri-1
Thanks for the report. thestig/dsinclair could you ptal? I'm not sure which versions of Chrome this affects yet.
Project Member

Comment 5 by, Dec 2

Status: Assigned
Labels: Security_Impact-Stable M-62
It's unclear which versions this affects so tentatively marking stable impact.
Fit to page works for me at 1920x1200, but not at 1280x800. Easiest way to do fit-to-page is to just press ctrl + \.

CFX_ImageTransformer::Continue() is a bit hairy, so is a the start of a set of refactoring CLs to untangle it. That may help make this easier to figure out.
Assigning to thestig@ while refactoring is in process. Feel free to assign back when done.
This is due to undefined behavior. It looks like  bug 702041 , but for CFX_BilinearMatrix's parent class. I wonder though, did really need to fix the issue with CheckedNumeric? Maybe switching to float point math would work too?
Status: Started is my attempt at fixing this and simplifying the other transform.

You know it's undefined behavior when:
1) Adding a printf() makes the crash go away.
2) Another printf() shows the src_row as negative, when there exists a check to make sure it's not. Only way to blow through it is via compiler optimization magic.
Project Member

Comment 11 by, Dec 5

The following revision refers to this bug:

commit 099fc90d25059f19919471301f459949c566846f
Author: Lei Zhang <>
Date: Tue Dec 05 20:26:33 2017

Avoid integer overflows in CPDF_FixedMatrix::Transform().

Use floating point math and saturated_cast to calculate the transform.
Refactor CFX_BilinearMatrix::Transform() to share common code, instead
of using integer math and CheckedNumerics.

BUG= chromium:791048 

Change-Id: Ib3812b3b3b9373a8eb3b1dde12cb28d424e0bb3e
Reviewed-by: Tom Sepez <>
Reviewed-by: dsinclair <>
Commit-Queue: Lei Zhang <>


Status: Fixed
Still waiting for a DEPS roll before this is actually fixed in Chromium.
Project Member

Comment 13 by, Dec 5

The following revision refers to this bug:

commit 574b1c70e4a094b8257994a1c21a7d86ec037f9a
Author: <>
Date: Tue Dec 05 22:03:42 2017

Roll src/third_party/pdfium/ 12ec6760a..c45271e05 (3 commits)

$ git log 12ec6760a..c45271e05 --date=short --no-merges --format='%ad %ae %s'
2017-12-05 thestig Remove redundant field in struct FXCMAP_CMap.
2017-12-05 thestig Fix CXFA_SimpleParser member destruction order.
2017-12-05 thestig Avoid integer overflows in CPDF_FixedMatrix::Transform().

Created with:
  roll-dep src/third_party/pdfium
BUG= 791616 , 791048 

The AutoRoll server is located here:

Documentation for the AutoRoller is here:

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

Change-Id: Id9a3a2c72218d95099dc5a350d51e2050758e565
Reviewed-by: <>
Commit-Queue: <>
Cr-Commit-Position: refs/heads/master@{#521848}

Project Member

Comment 14 by, Dec 6

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Hi! The VRP Panel decided to award $1,000 for this report. They'd be willing to look again if there's a demonstration of how it can be exploited. Cheers!
Labels: -reward-unpaid reward-inprocess
Labels: -M-62 M-65
Project Member

Comment 20 by, Feb 8

Labels: Merge-Request-65
Project Member

Comment 21 by, Feb 9

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit - Your friendly Sheriffbot
Pls apply appropriate OSs label. Thank you.

+awhalley@ for M65 merge review.
Labels: -Hotlist-Merge-Review -Merge-Review-65
Wait, why is sheriffbot requesting a M65 merge? r521848 landed before the M65 branch cut.
Labels: Release-0-M65
Labels: CVE-2018-6072
Project Member

Comment 26 by, Mar 14

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Sign in to add a comment