This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.
Please READ THIS FAQ before filing a bug: https://chromium.googlesource.com
/chromium/src/+/master/docs/security/faq.md
Please see the following link for instructions on filing security bugs:
https://www.chromium.org/Home/chromium-security/reporting-security-bugs
NOTE: Security bugs are normally made public once a fix has been widely
deployed.
VULNERABILITY DETAILS
Related to issue 794492 .
When parsing ShadingPatterns; according to the specification they shouldn't be permitted to have a pattern colorspace as their base colorspace, but this is not validated, leading to out-of-bounds reads when rendering using the malformed shading pattern.
bool CPDF_ShadingPattern::Load() {
// ... snip ...
CPDF_Object* pCSObj = pShadingDict->GetDirectObjectFor("ColorSpace");
if (!pCSObj)
return false;
// No validation here on the type of colorspace.
// ... snip ...
return true;
}
If we now look at the code called during rendering of this pattern, we call through DrawFreeGouraudShading (cpdf_renderstatus.cpp), which will call CPDF_MeshStream::ReadVertex for each vertex in the shading pattern, which will call CPDF_MeshStream::ReadColor.
std::tuple<float, float, float> CPDF_MeshStream::ReadColor() {
ASSERT(ShouldCheckBPC(m_type));
float color_value[kMaxComponents];
for (uint32_t i = 0; i < m_nComponents; ++i) {
color_value[i] = m_ColorMin[i] + m_BitStream->GetBits(m_nComponentBits) *
(m_ColorMax[i] - m_ColorMin[i]) /
m_ComponentMax;
}
// NB: color_value has only been initialised for the first m_nComponents elements
float r = 0.0;
float g = 0.0;
float b = 0.0;
if (m_funcs.empty()) {
m_pCS->GetRGB(color_value, &r, &g, &b); // <-- we're interested in this call here
return std::tuple<float, float, float>(r, g, b);
}
// ... snip ...
}
This call to GetRGB will be into the pattern cs
bool CPDF_PatternCS::GetRGB(float* pBuf, float* R, float* G, float* B) const {
if (m_pBaseCS) {
ASSERT(m_pBaseCS->GetFamily() != PDFCS_PATTERN);
PatternValue* pvalue = (PatternValue*)pBuf;
// pvalue->m_Comps is now pointing 5 dwords into an 8 dword sized buffer, and p_pBaseCS expects to be able to read 8 dwords from it.
if (m_pBaseCS->GetRGB(pvalue->m_Comps, R, G, B))
return true;
}
*R = 0.75f;
*G = 0.75f;
*B = 0.75f;
return false;
}
VERSION
Chrome Version: Version 65.0.3293.0 (Developer Build) (64-bit)
Operating System: Debian
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: pdfium process
Crash State:
=================================================================
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f6d03c960e0 at pc 0x5654b6a7bab7 bp 0x7ffcfba9aff0 sp 0x7ffcfba9afe8
READ of size 4 at 0x7f6d03c960e0 thread T0 (chrome)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x5654b6a7bab6 in operator() ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:719:67
#1 0x5654b6a7bab6 in max<float, std::__1::__less<float, float> > ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:2711:0
#2 0x5654b6a7bab6 in max<float> ./out/Debug/../../buildtools/third_party/libc++/trunk/include/algorithm:2719:0
#3 0x5654b6a7bab6 in float const& pdfium::clamp<float>(float const&, float const&, float const&) ./out/Debug/../../third_party/pdfium/third_party/base/stl_util.h:74:0
#4 0x5654b6c4acc9 in CPDF_Function::Call(float*, unsigned int, float*, int*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_function.cpp:114:9
#5 0x5654b6bb65e1 in (anonymous namespace)::CPDF_DeviceNCS::GetRGB(float*, float*, float*, float*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_colorspace.cpp:1193:12
#6 0x5654b6c894c5 in CPDF_PatternCS::GetRGB(float*, float*, float*, float*) const ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_patterncs.cpp:53:20
#7 0x5654b6d03c46 in CPDF_MeshStream::ReadColor() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_meshstream.cpp:210:12
#8 0x5654b6d050a0 in CPDF_MeshStream::ReadVertex(CFX_Matrix const&, CPDF_MeshVertex*, unsigned int*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_meshstream.cpp:239:47
#9 0x5654b6f5dc5b in (anonymous namespace)::DrawFreeGouraudShading(fxcrt::RetainPtr<CFX_DIBitmap> const&, CFX_Matrix*, CPDF_Stream*, std::__1::vector<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> >, std::__1::allocator<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> > > > const&, CPDF_ColorSpace*, int) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:493:17
#10 0x5654b6f5783d in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern*, CFX_Matrix*, FX_RECT&, int, bool) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2131:9
#11 0x5654b6f6288b in CPDF_RenderStatus::DrawShadingPattern(CPDF_ShadingPattern*, CPDF_PageObject const*, CFX_Matrix const*, bool) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2188:3
#12 0x5654b6f68243 in CPDF_RenderStatus::DrawPathWithPattern(CPDF_PathObject*, CFX_Matrix const*, CPDF_Color const*, bool) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2412:5
#13 0x5654b6f45450 in CPDF_RenderStatus::ProcessPathPattern(CPDF_PathObject*, CFX_Matrix const*, int&, bool&) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:2422:7
#14 0x5654b6f42fa2 in CPDF_RenderStatus::ProcessPath(CPDF_PathObject*, CFX_Matrix const*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1308:3
#15 0x5654b6f3f52e in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1195:14
#16 0x5654b6f3fec1 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1148:5
#17 0x5654b6f2f691 in CPDF_ProgressiveRenderer::Continue(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
#18 0x5654b6f2d481 in CPDF_ProgressiveRenderer::Start(IFX_PauseIndicator*) ./out/Debug/../../third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:44:3
#19 0x5654b69baecd in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IFSDK_PAUSE_Adapter*) ./out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:129:26
#20 0x5654b69b798f in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IFSDK_PAUSE_Adapter*) ./out/Debug/../../third_party/pdfium/fpdfsdk/fpdfview.cpp:1264:3
#21 0x5654b68a9b39 in FPDF_RenderPageBitmap_Start ./out/Debug/../../third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
#22 0x5654b6780db6 in chrome_pdf::PDFiumEngine::ContinuePaint(int, pp::ImageData*) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:3257:10
#23 0x5654b677e5f5 in chrome_pdf::PDFiumEngine::Paint(pp::Rect const&, pp::ImageData*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) ./out/Debug/../../pdf/pdfium/pdfium_engine.cc:1117:11
#24 0x5654b670f7c0 in chrome_pdf::OutOfProcessInstance::OnPaint(std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> > const&, std::__1::vector<PaintManager::ReadyRect, std::__1::allocator<PaintManager::ReadyRect> >*, std::__1::vector<pp::Rect, std::__1::allocator<pp::Rect> >*) ./out/Debug/../../pdf/out_of_process_instance.cc:1064:16
#25 0x5654b67453d9 in PaintManager::DoPaint() ./out/Debug/../../pdf/paint_manager.cc:235:12
#26 0x5654b6747f6c in PaintManager::OnFlushComplete(int) ./out/Debug/../../pdf/paint_manager.cc:328:5
#27 0x5654b674bf97 in pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::Dispatcher0<void (PaintManager::*)(int)>::operator()(PaintManager*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:607:9
#28 0x5654b674bc24 in pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::CallbackData<pp::CompletionCallbackFactory<PaintManager, pp::ThreadSafeThreadTraits>::Dispatcher0<void (PaintManager::*)(int)> >::Thunk(void*, int) ./out/Debug/../../ppapi/utility/completion_callback_factory.h:584:7
#29 0x7f6d47e1c0d4 in PP_RunCompletionCallback(PP_CompletionCallback*, int) ./out/Debug/../../ppapi/c/pp_completion_callback.h:240:3
#30 0x7f6d47e1bfba in void ppapi::CallWhileUnlocked<void, PP_CompletionCallback*, int, PP_CompletionCallback*, int>(void (*)(PP_CompletionCallback*, int), PP_CompletionCallback* const&, int const&) ./out/Debug/../../ppapi/shared_impl/proxy_lock.h:135:10
#31 0x7f6d47e180f9 in ppapi::TrackedCallback::Run(int) ./out/Debug/../../ppapi/shared_impl/tracked_callback.cc:141:7
#32 0x7f6d3bf638d6 in ppapi::proxy::Graphics2DResource::OnPluginMsgFlushACK(ppapi::proxy::ResourceMessageReplyParams const&) ./out/Debug/../../ppapi/proxy/graphics_2d_resource.cc:159:28
#33 0x7f6d3bf667bd in void base::internal::FunctorTraits<void (ppapi::proxy::Graphics2DResource::*)(ppapi::proxy::ResourceMessageReplyParams const&), void>::Invoke<scoped_refptr<ppapi::proxy::Graphics2DResource> const&, ppapi::proxy::ResourceMessageReplyParams const&>(void (ppapi::proxy::Graphics2DResource::*)(ppapi::proxy::ResourceMessageReplyParams const&), scoped_refptr<ppapi::proxy::Graphics2DResource> const&, ppapi::proxy::ResourceMessageReplyParams const&) ./out/Debug/../../base/bind_internal.h:211:12
#34 0x7f6d3bf66482 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (ppapi::proxy::Graphics2DResource::* const&)(ppapi::proxy::ResourceMessageReplyParams const&), scoped_refptr<ppapi::proxy::Graphics2DResource> const&, ppapi::proxy::ResourceMessageReplyParams const&>(void (ppapi::proxy::Graphics2DResource::* const&)(ppapi::proxy::ResourceMessageReplyParams const&), scoped_refptr<ppapi::proxy::Graphics2DResource> const&, ppapi::proxy::ResourceMessageReplyParams const&) ./out/Debug/../../base/bind_internal.h:294:12
#35 0x7f6d3bf66256 in void base::internal::Invoker<base::internal::BindState<void (ppapi::proxy::Graphics2DResource::*)(ppapi::proxy::ResourceMessageReplyParams const&), scoped_refptr<ppapi::proxy::Graphics2DResource> >, void (ppapi::proxy::ResourceMessageReplyParams const&)>::RunImpl<void (ppapi::proxy::Graphics2DResource::* const&)(ppapi::proxy::ResourceMessageReplyParams const&), std::__1::tuple<scoped_refptr<ppapi::proxy::Graphics2DResource> > const&, 0ul>(void (ppapi::proxy::Graphics2DResource::* const&)(ppapi::proxy::ResourceMessageReplyParams const&), std::__1::tuple<scoped_refptr<ppapi::proxy::Graphics2DResource> > const&, std::__1::integer_sequence<unsigned long, 0ul>, ppapi::proxy::ResourceMessageReplyParams const&) ./out/Debug/../../base/bind_internal.h:368:12
#36 0x7f6d3bf6613a in base::internal::Invoker<base::internal::BindState<void (ppapi::proxy::Graphics2DResource::*)(ppapi::proxy::ResourceMessageReplyParams const&), scoped_refptr<ppapi::proxy::Graphics2DResource> >, void (ppapi::proxy::ResourceMessageReplyParams const&)>::Run(base::internal::BindStateBase*, ppapi::proxy::ResourceMessageReplyParams const&) ./out/Debug/../../base/bind_internal.h:350:12
#37 0x7f6d3bead10e in base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>::Run(ppapi::proxy::ResourceMessageReplyParams const&) const & ./out/Debug/../../base/callback.h:94:12
#38 0x7f6d3bead08f in void ppapi::proxy::DispatchResourceReplyImpl<base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&, std::__1::tuple<>&>(base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&, ppapi::proxy::ResourceMessageReplyParams const&, std::__1::tuple<>&, std::__1::integer_sequence<unsigned long>) ./out/Debug/../../ppapi/proxy/dispatch_reply_message.h:56:40
#39 0x7f6d3beacfc3 in void ppapi::proxy::DispatchResourceReply<base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&, std::__1::tuple<>&>(base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&, ppapi::proxy::ResourceMessageReplyParams const&, std::__1::tuple<>&) ./out/Debug/../../ppapi/proxy/dispatch_reply_message.h:69:3
#40 0x7f6d3bf68ecc in void ppapi::proxy::DispatchResourceReplyOrDefaultParams<IPC::MessageT<PpapiPluginMsg_Graphics2D_FlushAck_Meta, std::__1::tuple<>, void>, base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&>(base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)>&, ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../ppapi/proxy/dispatch_reply_message.h:141:5
#41 0x7f6d3bf689ff in ppapi::proxy::PluginResourceCallback<IPC::MessageT<PpapiPluginMsg_Graphics2D_FlushAck_Meta, std::__1::tuple<>, void>, base::RepeatingCallback<void (ppapi::proxy::ResourceMessageReplyParams const&)> >::Run(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../ppapi/proxy/plugin_resource_callback.h:39:5
#42 0x7f6d3c0265a6 in ppapi::proxy::PluginResource::OnReplyReceived(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../ppapi/proxy/plugin_resource.cc:54:15
#43 0x7f6d3c01c47f in ppapi::proxy::PluginMessageFilter::DispatchResourceReply(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../ppapi/proxy/plugin_message_filter.cc:116:13
#44 0x7f6d3c023d73 in void base::internal::FunctorTraits<void (*)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), void>::Invoke<ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&>(void (*)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../base/bind_internal.h:166:12
#45 0x7f6d3c023c7b in void base::internal::InvokeHelper<false, void>::MakeItSo<void (* const&)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&>(void (* const&)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&) ./out/Debug/../../base/bind_internal.h:294:12
#46 0x7f6d3c023bdb in void base::internal::Invoker<base::internal::BindState<void (*)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), ppapi::proxy::ResourceMessageReplyParams, IPC::Message>, void ()>::RunImpl<void (* const&)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), std::__1::tuple<ppapi::proxy::ResourceMessageReplyParams, IPC::Message> const&, 0ul, 1ul>(void (* const&)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), std::__1::tuple<ppapi::proxy::ResourceMessageReplyParams, IPC::Message> const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) ./out/Debug/../../base/bind_internal.h:368:12
#47 0x7f6d3c023aa2 in base::internal::Invoker<base::internal::BindState<void (*)(ppapi::proxy::ResourceMessageReplyParams const&, IPC::Message const&), ppapi::proxy::ResourceMessageReplyParams, IPC::Message>, void ()>::Run(base::internal::BindStateBase*) ./out/Debug/../../base/bind_internal.h:350:12
#48 0x7f6d7295d08f in base::OnceCallback<void ()>::Run() && ./out/Debug/../../base/callback.h:65:12
#49 0x7f6d72a77a26 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./out/Debug/../../base/debug/task_annotator.cc:55:33
#50 0x7f6d72c79e8a in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) ./out/Debug/../../base/message_loop/incoming_task_queue.cc:128:19
#51 0x7f6d72c9576e in base::MessageLoop::RunTask(base::PendingTask*) ./out/Debug/../../base/message_loop/message_loop.cc:391:25
#52 0x7f6d72c960cc in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ./out/Debug/../../base/message_loop/message_loop.cc:403:5
#53 0x7f6d72c96a30 in base::MessageLoop::DoWork() ./out/Debug/../../base/message_loop/message_loop.cc:447:16
#54 0x7f6d72cb9d6b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./out/Debug/../../base/message_loop/message_pump_default.cc:37:31
#55 0x7f6d72c93ced in base::MessageLoop::Run(bool) ./out/Debug/../../base/message_loop/message_loop.cc:342:12
#56 0x7f6d72f1bc77 in base::RunLoop::Run() ./out/Debug/../../base/run_loop.cc:130:14
#57 0x7f6d58e9be2e in content::PpapiPluginMain(content::MainFunctionParams const&) ./out/Debug/../../content/ppapi_plugin/ppapi_plugin_main.cc:160:19
#58 0x7f6d63f9fdcf in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) ./out/Debug/../../content/app/content_main_runner.cc:356:14
#59 0x7f6d63fa18a9 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ./out/Debug/../../content/app/content_main_runner.cc:436:12
#60 0x7f6d63faa5d1 in content::ContentMainRunnerImpl::Run() ./out/Debug/../../content/app/content_main_runner.cc:705:12
#61 0x7f6d63f8c5b5 in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() ./out/Debug/../../content/app/content_service_manager_main_delegate.cc:51:32
#62 0x7f6d73c82479 in service_manager::Main(service_manager::MainParams const&) ./out/Debug/../../services/service_manager/embedder/main.cc:456:29
#63 0x7f6d63f9ecef in content::ContentMain(content::ContentMainParams const&) ./out/Debug/../../content/app/content_main.cc:19:10
#64 0x56549fc0e6b7 in ChromeMain ./out/Debug/../../chrome/app/chrome_main.cc:127:12
#65 0x56549fc0e28e in main ./out/Debug/../../chrome/app/chrome_exe_main_aura.cc:17:10
#66 0x7f6d15b772b0 in __libc_start_main ??:0:0
Address 0x7f6d03c960e0 is located in stack of thread T0 (chrome) at offset 224 in frame
#0 0x5654b6d0322f in CPDF_MeshStream::ReadColor() ./out/Debug/../../third_party/pdfium/core/fpdfapi/page/cpdf_meshstream.cpp:196:0
This frame has 14 object(s):
[32, 40) 'retval.i.i105'
[64, 72) 'retval.i108'
[96, 104) 'retval.i.i'
[128, 136) 'retval.i'
[160, 172) 'retval'
[192, 224) 'color_value' (line 199) <== Memory access at offset 224 overflows this variable
[256, 260) 'r' (line 206)
[272, 276) 'g' (line 207)
[288, 292) 'b' (line 208)
[304, 336) 'result' (line 214)
[368, 372) 'nResults' (line 216)
[384, 392) '__begin' (line 217)
[416, 424) '__end' (line 217)
[448, 464) 'tmp'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/google/home/markbrand/tmp/asan-linux-debug-523440/chrome+0x1bd27ab6)
Shadow bytes around the buggy address:
0x0fee2078abc0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078abd0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078abe0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078abf0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078ac00: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
=>0x0fee2078ac10: 00 f2 f2 f2 00 04 f2 f2 00 00 00 00[f2]f2 f2 f2
0x0fee2078ac20: 04 f2 04 f2 04 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2
0x0fee2078ac30: f8 f2 f2 f2 f8 f2 f2 f2 00 00 f3 f3 00 00 00 00
0x0fee2078ac40: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078ac50: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0fee2078ac60: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
Client ID (if relevant): [see link above]
|
Deleted:
poc2.pdf
1.3 KB
|
Comment 1 Deleted