Security: pdfium: out-of-bounds read with nested colorspaces |
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The PDF specification allows multiple methods of specifying the colorspace to be used for rendering a drawing, several of which allow the "nesting" of different colorspaces. In all of these cases, the specification places restrictions on the "nestings" which are allowed, usually requiring that the nested colorspace is not a pattern-type colorspace.
This requirement is not enforced in pdfium, which provides some interesting opportunities. The implementation of all standard colorspaces provide the following API
CPDF_ColorSpace::GetRGB(float* pBuf, float* R, float *G, float* B)
in which pBuf is a pointer to a buffer large enough to contain one float for every component of the colorspace.
However, for pattern colorspaces the semantics of this method are different
bool CPDF_PatternCS::GetRGB(float* pBuf, float* R, float* G, float* B) const {
if (m_pBaseCS) {
ASSERT(m_pBaseCS->GetFamily() != PDFCS_PATTERN);
PatternValue* pvalue = (PatternValue*)pBuf;
if (m_pBaseCS->GetRGB(pvalue->m_Comps, R, G, B))
return true;
}
*R = 0.75f;
*G = 0.75f;
*B = 0.75f;
return false;
}
where this input float array is cast to an object of type PatternValue.
By nesting colorspaces, we can create a situation where this input buffer is smaller than a PatternValue, and then the base colorspace of our pattern colorspace can process out-of-bounds memory as it's input components.
The attached PDF triggers an oob-read under ASAN on the latest chrome-linux-asan build.
It should be possible to use this to leak heap memory (at least to the screen), but I haven't tried to put together a heap groom to get any interesting data following the allocation.
The PoC works by creating an ICCBased colorspace with a pattern colorspace backed by a devicen colorspace as the alternate colorspace
<<
/N 4
/Alternate [/Pattern [/DeviceN [/Col0 /Col1 /Col2] /DeviceRGB ...]]
...
>>
and then configuring this colorspace and setting the fill color, triggering the out-of-bounds read. The devicen colorspace provides a function mapping the input components to the devicergb colorspace via a simple postscript function.
There are several other related paths which lead to potentially undesirable behavior caused by nesting pattern colorspaces, including some reads of uninitialised stack memory, but I didn't see a path to memory corruption.
Reporting without applying the 90-day deadline since I'm not terribly interested in figuring out the nuts and bolts of leaking these colors back in some useful way.
VERSION
Chrome Version: Version 65.0.3293.0 (Developer Build) (64-bit)
Operating System: Debian
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: pdfium process
Crash State:
=================================================================
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000014f24 at pc 0x564a792c1ab7 bp 0x7ffeb03191b0 sp 0x7ffeb03191a8
READ of size 4 at 0x602000014f24 thread T0 (chrome)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x564a792c1ab6 in operator() ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:719:67
#1 0x564a792c1ab6 in max<float, std::__1::__less<float, float> > ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:2711:0
#2 0x564a792c1ab6 in max<float> ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:2719:0
#3 0x564a792c1ab6 in float const& pdfium::clamp<float>(float const&, float const&, float const&) ./out/Debug/../../third_party/pdfium/third_party/base/stl_util.h:74:0
#4 0x564a79490cc9 in CPDF_Function::Call(float*, unsigned int, float*, int*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_function.cpp:114:9
#5 0x564a793fc5e1 in (anonymous namespace)::CPDF_DeviceNCS::GetRGB(float*, float*, float*, float*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorspace.cpp:1193:12
#6 0x564a794cf4c5 in CPDF_PatternCS::GetRGB(float*, float*, float*, float*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_patterncs.cpp:53:20
#7 0x564a793f54fe in (anonymous namespace)::CPDF_ICCBasedCS::GetRGB(float*, float*, float*, float*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorspace.cpp:868:24
#8 0x564a793e585b in CPDF_Color::GetRGB(int*, int*, int*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_color.cpp:150:15
#9 0x564a79402b6a in CPDF_ColorState::SetColor(CPDF_Color&, unsigned int&, CPDF_ColorSpace*, float*, unsigned int) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorstate.cpp:140:15
#10 0x564a794028d8 in CPDF_ColorState::SetFillColor(CPDF_ColorSpace*, float*, unsigned int) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorstate.cpp:76:3
#11 0x564a79511584 in CPDF_StreamContentParser::Handle_SetColor_Fill() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1034:30
#12 0x564a79513f8c in CPDF_StreamContentParser::OnOperator(fxcrt::StringViewTemplate<char> const&) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:566:5
#13 0x564a79523878 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1530:9
#14 0x564a794845af in CPDF_ContentParser::Continue(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_contentparser.cpp:170:24
#15 0x564a794c5b85 in CPDF_PageObjectHolder::ContinueParse(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_pageobjectholder.cpp:40:18
#16 0x564a794b6a6f in CPDF_Page::ParseContent() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_page.cpp:91:3
#17 0x564a791fca58 in FPDF_LoadPage ./out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:714:10
#18 0x564a790aee48 in chrome_pdf::PDFiumPage::GetPage() ./out/Debug/../../pdf/pdfium/pdfium_page.cc:130:13
#19 0x564a790b8d40 in chrome_pdf::PDFiumPage::GetPageFeatures() ./out/Debug/../../pdf/pdfium/pdfium_page.cc:580:20
#20 0x564a78fc0bc5 in chrome_pdf::PDFiumEngine::CalculateVisiblePages() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3129:55
#21 0x564a78fbdd79 in chrome_pdf::PDFiumEngine::PluginSizeUpdated(pp::Size const&) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:1035:3
#22 0x564a78f4c5b0 in chrome_pdf::OutOfProcessInstance::OnGeometryChanged(double, float) ./out/Debug/../../pdf/out_of_process_instance.cc:1712:12
#23 0x564a78f5bef8 in chrome_pdf::OutOfProcessInstance::DocumentSizeUpdated(pp::Size const&) ./out/Debug/../../pdf/out_of_process_instance.cc:1197:3
#24 0x564a78fd0072 in chrome_pdf::PDFiumEngine::LoadPageInfo(bool) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3057:14
#25 0x564a790103de in chrome_pdf::PDFiumEngine::LoadPages() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3085:5
#26 0x564a78fd2e75 in chrome_pdf::PDFiumEngine::LoadBody() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3074:3
#27 0x564a7900e9d5 in chrome_pdf::PDFiumEngine::ContinueLoadingDocument(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:2988:3
#28 0x564a78fd251f in chrome_pdf::PDFiumEngine::LoadDocument() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:2905:5
#29 0x564a78fd4406 in chrome_pdf::PDFiumEngine::OnDocumentComplete() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:1257:3
#30 0x564a79068091 in chrome_pdf::DocumentLoader::ReadComplete() ./out/Debug/../../pdf/document_loader.cc:383:14
#31 0x564a79068bfc in chrome_pdf::DocumentLoader::DidRead(int) ./out/Debug/../../pdf/document_loader.cc:318:12
#32 0x564a7906ddf7 in pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::DocumentLoader::*)(int)>::operator()(chrome_pdf::DocumentLoader*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:607:9
#33 0x564a7906da84 in pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::DocumentLoader::*)(int)> >::Thunk(void*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:584:7
#34 0x564a67287dd4 in PP_RunCompletionCallback(PP_CompletionCallback*, int) ./out/Debug/../../ppapi/c/pp_completion_callback.h:240:3
#35 0x564a790a55a5 in PP_RunAndClearCompletionCallback(PP_CompletionCallback*, int) ./out/Debug/../../ppapi/c/pp_completion_callback.h:282:3
#36 0x564a790a4da3 in pp::CompletionCallback::RunAndClear(int) ./out/Debug/../../ppapi/cpp/completion_callback.h:99:5
#37 0x564a7909bfac in chrome_pdf::URLLoaderWrapperImpl::DidRead(int) ./out/Debug/../../pdf/url_loader_wrapper_impl.cc:282:24
#38 0x564a790a63b7 in pp::CompletionCallbackFactory<chrome_pdf::URLLoaderWrapperImpl, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::URLLoaderWrapperImpl::*)(int)>::operator()(chrome_pdf::URLLoaderWrapperImpl*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:607:9
#39 0x564a790a6044 in pp::CompletionCallbackFactory<chrome_pdf::URLLoaderWrapperImpl, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::URLLoaderWrapperImpl, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::URLLoaderWrapperImpl::*)(int)> >::Thunk(void*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:584:7
#40 0x7f17d95d70d4 in PP_RunCompletionCallback(PP_CompletionCallback*, int) ./out/Debug/../../ppapi/c/pp_completion_callback.h:240:3
#41 0x7f17d95d6fba in void ppapi::CallWhileUnlocked<void, PP_CompletionCallback*, int, PP_CompletionCallback*, int>(void (*)(PP_CompletionCallback*, int), PP_CompletionCallback* const&, int const&) ./out/Debug/../../ppapi/shared_impl/proxy_lock.h:135:10
#42 0x7f17d95d30f9 in ppapi::TrackedCallback::Run(int) ./out/Debug/../../ppapi/shared_impl/tracked_callback.cc:141:7
#43 0x7f17d95d865d in void base::internal::FunctorTraits<void (ppapi::TrackedCallback::*)(int), void>::Invoke<scoped_refptr<ppapi::TrackedCallback> const&, int const&>(void (ppapi::TrackedCallback::*)(int), scoped_refptr<ppapi::TrackedCallback> const&, int const&) ./out/Debug/../../base/bind_internal.h:211:12
#44 0x7f17d95d8292 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (ppapi::TrackedCallback::* const&)(int), scoped_refptr<ppapi::TrackedCallback> const&, int const&>(void (ppapi::TrackedCallback::* const&)(int), scoped_refptr<ppapi::TrackedCallback> const&, int const&) ./out/Debug/../../base/bind_internal.h:294:12
#45 0x7f17d95d805b in void base::internal::Invoker<base::internal::BindState<void (ppapi::TrackedCallback::*)(int), scoped_refptr<ppapi::TrackedCallback>, int>, void ()>::RunImpl<void (ppapi::TrackedCallback::* const&)(int), std::__1::tuple<scoped_refptr<ppapi::TrackedCallback>, int> const&, 0ul, 1ul>(void (ppapi::TrackedCallback::* const&)(int), std::__1::tuple<scoped_refptr<ppapi::TrackedCallback>, int> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) ./out/Debug/../../base/bind_internal.h:368:12
#46 0x7f17d95d7f22 in base::internal::Invoker<base::internal::BindState<void (ppapi::TrackedCallback::*)(int), scoped_refptr<ppapi::TrackedCallback>, int>, void ()>::Run(base::internal::BindStateBase*) ./out/Debug/../../base/bind_internal.h:350:12
#47 0x7f17d959a206 in base::RepeatingCallback<void ()>::Run() const & ./out/Debug/../../base/callback.h:94:12
#48 0x7f17d95ce1a2 in ppapi::internal::RunWhileLockedHelper<void ()>::CallWhileLocked(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >) ./out/Debug/../../ppapi/shared_impl/proxy_lock.h:205:22
#49 0x7f17d95cef4a in void base::internal::FunctorTraits<void (*)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), void>::Invoke<std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > >(void (*)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >&&) ./out/Debug/../../base/bind_internal.h:166:12
#50 0x7f17d95cebe3 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (* const&)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > >(void (* const&)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >&&) ./out/Debug/../../base/bind_internal.h:294:12
#51 0x7f17d95ce987 in void base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), base::internal::PassedWrapper<std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > > >, void ()>::RunImpl<void (* const&)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), std::__1::tuple<base::internal::PassedWrapper<std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > > > const&, 0ul>(void (* const&)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), std::__1::tuple<base::internal::PassedWrapper<std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > > > const&, std::__1::integer_sequence<unsigned long, 0ul>) ./out/Debug/../../base/bind_internal.h:368:12
#52 0x7f17d95ce792 in base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > >), base::internal::PassedWrapper<std::__1::unique_ptr<ppapi::internal::RunWhileLockedHelper<void ()>, std::__1::default_delete<ppapi::internal::RunWhileLockedHelper<void ()> > > > >, void ()>::Run(base::internal::BindStateBase*) ./out/Debug/../../base/bind_internal.h:350:12
#53 0x7f180411808f in base::OnceCallback<void ()>::Run() && ./out/Debug/../../base/callback.h:65:12
#54 0x7f1804232a26 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./out/Debug/../../base/debug/task_annotator.cc:55:33
#55 0x7f1804434e8a in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) ./out/Debug/../../base/message_loop/incoming_task_queue.cc:128:19
#56 0x7f180445076e in base::MessageLoop::RunTask(base::PendingTask*) ./out/Debug/../../base/message_loop/message_loop.cc:391:25
#57 0x7f18044510cc in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ./out/Debug/../../base/message_loop/message_loop.cc:403:5
#58 0x7f1804451a30 in base::MessageLoop::DoWork() ./out/Debug/../../base/message_loop/message_loop.cc:447:16
#59 0x7f1804474d6b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./out/Debug/../../base/message_loop/message_pump_default.cc:37:31
#60 0x7f180444eced in base::MessageLoop::Run(bool) ./out/Debug/../../base/message_loop/message_loop.cc:342:12
#61 0x7f18046d6c77 in base::RunLoop::Run() ./out/Debug/../../base/run_loop.cc:130:14
#62 0x7f17ea656e2e in content::PpapiPluginMain(content::MainFunctionParams const&) ./out/Debug/../../content/ppapi_plugin/ppapi_plugin_main.cc:160:19
#63 0x7f17f575adcf in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) ./out/Debug/../../content/app/content_main_runner.cc:356:14
#64 0x7f17f575c8a9 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ./out/Debug/../../content/app/content_main_runner.cc:436:12
#65 0x7f17f57655d1 in content::ContentMainRunnerImpl::Run() ./out/Debug/../../content/app/content_main_runner.cc:705:12
#66 0x7f17f57475b5 in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() ./out/Debug/../../content/app/content_service_manager_main_delegate.cc:51:32
#67 0x7f180543d479 in service_manager::Main(service_manager::MainParams const&) ./out/Debug/../../services/service_manager/embedder/main.cc:456:29
#68 0x7f17f5759cef in content::ContentMain(content::ContentMainParams const&) ./out/Debug/../../content/app/content_main.cc:19:10
#69 0x564a624546b7 in ChromeMain ./out/Debug/../../chrome/app/chrome_main.cc:127:12
#70 0x564a6245428e in main ./out/Debug/../../chrome/app/chrome_exe_main_aura.cc:17:10
#71 0x7f17a73322b0 in __libc_start_main ??:0:0
0x602000014f24 is located 4 bytes to the right of 16-byte region [0x602000014f10,0x602000014f20)
allocated by thread T0 (chrome) here:
#0 0x564a62424ea3 in __interceptor_malloc _asan_rtl_:3
#1 0x564a790f411c in pdfium::base::PartitionAllocGenericFlags(pdfium::base::PartitionRootGeneric*, int, unsigned long, char const*) ./out/Debug/../../third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:786:18
#2 0x564a790f3e43 in FX_SafeAlloc(unsigned long, unsigned long) ./out/Debug/../../third_party/pdfium/core/fxcrt/fx_memory.h:46:18
#3 0x564a790f3abb in FX_AllocOrDie(unsigned long, unsigned long) ./out/Debug/../../third_party/pdfium/core/fxcrt/fx_memory.h:67:22
#4 0x564a793e9bfe in CPDF_ColorSpace::CreateBuf() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorspace.cpp:484:35
#5 0x564a793e47d5 in CPDF_Color::SetColorSpace(CPDF_ColorSpace*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_color.cpp:72:22
#6 0x564a7950ee3f in CPDF_StreamContentParser::Handle_SetColorSpace_Fill() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:696:53
#7 0x564a79513f8c in CPDF_StreamContentParser::OnOperator(fxcrt::StringViewTemplate<char> const&) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:566:5
#8 0x564a79523878 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp:1530:9
#9 0x564a794845af in CPDF_ContentParser::Continue(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_contentparser.cpp:170:24
#10 0x564a794c5b85 in CPDF_PageObjectHolder::ContinueParse(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_pageobjectholder.cpp:40:18
#11 0x564a794b6a6f in CPDF_Page::ParseContent() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_page.cpp:91:3
#12 0x564a791fca58 in FPDF_LoadPage ./out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:714:10
#13 0x564a790aee48 in chrome_pdf::PDFiumPage::GetPage() ./out/Debug/../../pdf/pdfium/pdfium_page.cc:130:13
#14 0x564a790b8d40 in chrome_pdf::PDFiumPage::GetPageFeatures() ./out/Debug/../../pdf/pdfium/pdfium_page.cc:580:20
#15 0x564a78fc0bc5 in chrome_pdf::PDFiumEngine::CalculateVisiblePages() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3129:55
#16 0x564a78fbdd79 in chrome_pdf::PDFiumEngine::PluginSizeUpdated(pp::Size const&) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:1035:3
#17 0x564a78f4c5b0 in chrome_pdf::OutOfProcessInstance::OnGeometryChanged(double, float) ./out/Debug/../../pdf/out_of_process_instance.cc:1712:12
#18 0x564a78f5bef8 in chrome_pdf::OutOfProcessInstance::DocumentSizeUpdated(pp::Size const&) ./out/Debug/../../pdf/out_of_process_instance.cc:1197:3
#19 0x564a78fd0072 in chrome_pdf::PDFiumEngine::LoadPageInfo(bool) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3057:14
#20 0x564a790103de in chrome_pdf::PDFiumEngine::LoadPages() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3085:5
#21 0x564a78fd2e75 in chrome_pdf::PDFiumEngine::LoadBody() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3074:3
#22 0x564a7900e9d5 in chrome_pdf::PDFiumEngine::ContinueLoadingDocument(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:2988:3
#23 0x564a78fd251f in chrome_pdf::PDFiumEngine::LoadDocument() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:2905:5
#24 0x564a78fd4406 in chrome_pdf::PDFiumEngine::OnDocumentComplete() ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:1257:3
#25 0x564a79068091 in chrome_pdf::DocumentLoader::ReadComplete() ./out/Debug/../../pdf/document_loader.cc:383:14
#26 0x564a79068bfc in chrome_pdf::DocumentLoader::DidRead(int) ./out/Debug/../../pdf/document_loader.cc:318:12
#27 0x564a7906ddf7 in pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::DocumentLoader::*)(int)>::operator()(chrome_pdf::DocumentLoader*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:607:9
#28 0x564a7906da84 in pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<chrome_pdf::DocumentLoader, pp::ThreadSafeThreadTraits>::Dispatcher0<void (chrome_pdf::DocumentLoader::*)(int)> >::Thunk(void*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:584:7
#29 0x564a67287dd4 in PP_RunCompletionCallback(PP_CompletionCallback*, int) ./out/Debug/../../ppapi/c/pp_completion_callback.h:240:3
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/markbrand/tmp/asan-linux-debug-523440/chrome+0x1bd27ab6)
Shadow bytes around the buggy address:
0x0c047fffa990: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fffa9a0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fffa9b0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fffa9c0: fa fa 00 04 fa fa 00 00 fa fa fd fa fa fa 00 00
0x0c047fffa9d0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fffa9e0: fa fa 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaa00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaa10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaa20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
Client ID (if relevant): [see link above]
,
Dec 13 2017
,
Dec 13 2017
,
Dec 14 2017
,
Dec 14 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 14 2017
,
Dec 14 2017
,
Dec 14 2017
Good catch. Able to repro this locally with asan.
Some restrictions we have to add:
- ICC color spaces cannot have a Pattern color space as Alternate
- Separation and DeviceN color spaces cannot have a special color space as Alternate. Special color spaces are {Separation, DeviceN, Indexed and Pattern}
,
Dec 14 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/d92073b756277d2d4c9c839dd5ac8fa0e8bb9e28 commit d92073b756277d2d4c9c839dd5ac8fa0e8bb9e28 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Thu Dec 14 22:42:13 2017 Add restrictions to alternate color spaces. - ICC color spaces cannot have a Pattern color space as Alternate - Separation and DeviceN color spaces cannot have a special color space as Alternate. Special color spaces are {Separation, DeviceN, Indexed and Pattern}. Bug: chromium:794492 Change-Id: Ia2199382c759d8d1d13c605c22d6495e935265ad Reviewed-on: https://pdfium-review.googlesource.com/21310 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/d92073b756277d2d4c9c839dd5ac8fa0e8bb9e28/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/d92073b756277d2d4c9c839dd5ac8fa0e8bb9e28/core/fpdfapi/page/cpdf_colorspace.h
,
Dec 15 2017
Looking at the fix for this, I think there's another related issue. The /ShadingPattern type allows the specification of a /ColorSpace object, and this should not be permitted to be a pattern colorspace. There's a missing check for this in cpdf_shadingpattern.cpp and this lets you nest two pattern colorspaces on top of each other; I think the impact of this variation is a read of uninitialised stack memory. If it would be useful, I can try to produce a poc for this and report it separately.
,
Dec 15 2017
Filed the variant as issue 795251 so that it doesn't delay the fix for this issue, but feel free to dup that to this issue if that's easier.
,
Dec 15 2017
Applying the 90 day deadline to this (as though it was reported today, 2017/12/15) as I've worked out how to make it useful as an information leak. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
,
Dec 15 2017
,
Dec 15 2017
,
Dec 15 2017
,
Dec 15 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2017
,
Dec 18 2017
+awhalley - approving for merge to M64. Branch:3282
,
Dec 18 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/a8fdbe4595a991436796244d1a577b6239866e53 commit a8fdbe4595a991436796244d1a577b6239866e53 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Mon Dec 18 19:33:13 2017 [Merge M64] Add restrictions to alternate color spaces. - ICC color spaces cannot have a Pattern color space as Alternate - Separation and DeviceN color spaces cannot have a special color space as Alternate. Special color spaces are {Separation, DeviceN, Indexed and Pattern}. Bug: chromium:794492 Change-Id: Ia2199382c759d8d1d13c605c22d6495e935265ad Reviewed-on: https://pdfium-review.googlesource.com/21310 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> (cherry picked from commit d92073b756277d2d4c9c839dd5ac8fa0e8bb9e28) Reviewed-on: https://pdfium-review.googlesource.com/21590 Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> [modify] https://crrev.com/a8fdbe4595a991436796244d1a577b6239866e53/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/a8fdbe4595a991436796244d1a577b6239866e53/core/fpdfapi/page/cpdf_colorspace.h
,
Mar 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Mar 31 2018
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 13 2017