segv in third_party/pdfium/core/fxcodec/codec/fx_codec_jpx_opj.cpp
Reported by
cdsrc2...@gmail.com,
Dec 27 2017
|
||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Steps to reproduce the problem:
1. $ out/test/pdfium_test poc.pdf
What is the expected behavior?
Render PDF file normally.
What went wrong?
It got a segv.
$ ASAN_OPTIONS=allocator_may_return_null=1 out/test/pdfium_test poc.pdf
Rendering PDF file poc.pdf.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==125746==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x084f51e8 bp 0xffe40708 sp 0xffe40660 T0)
==125746==The signal is caused by a WRITE memory access.
==125746==Hint: address points to the zero page.
#0 0x84f51e7 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x84f51e7)
#1 0x84f844b (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x84f844b)
#2 0x834545e (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x834545e)
#3 0x833e39b (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x833e39b)
#4 0x8341d02 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8341d02)
#5 0x841bea5 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x841bea5)
#6 0x835510a (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835510a)
#7 0x843a2e7 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x843a2e7)
#8 0x841e75d (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x841e75d)
#9 0x8427fc4 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8427fc4)
#10 0x8365f88 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8365f88)
#11 0x835c3b8 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835c3b8)
#12 0x835b9a0 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835b9a0)
#13 0x8167d02 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8167d02)
#14 0x8167652 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8167652)
#15 0x815a245 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x815a245)
#16 0x8137a38 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8137a38)
#17 0x813192f (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x813192f)
#18 0xf71b6636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x84f51e7)
==125746==ABORTING
$ out/test/pdfium_test poc.pdf
Rendering PDF file poc.pdf.
==125678==AddressSanitizer's allocator is terminating the process instead of returning 0
==125678==If you don't like this behavior set allocator_may_return_null=1
==125678==AddressSanitizer CHECK failed: /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
#0 0x8106a84 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8106a84)
#1 0x8119b53 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8119b53)
#2 0x810ac0e (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x810ac0e)
#3 0x810acbb (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x810acbb)
#4 0x806874f (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x806874f)
#5 0x8068462 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8068462)
#6 0x8064c90 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8064c90)
#7 0x8063188 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8063188)
#8 0x80fedff (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x80fedff)
#9 0x854e932 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x854e932)
#10 0x84f5016 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x84f5016)
#11 0x84f844b (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x84f844b)
#12 0x834545e (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x834545e)
#13 0x833e39b (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x833e39b)
#14 0x8341d02 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8341d02)
#15 0x841bea5 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x841bea5)
#16 0x835510a (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835510a)
#17 0x843a2e7 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x843a2e7)
#18 0x841e75d (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x841e75d)
#19 0x8427fc4 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8427fc4)
#20 0x8365f88 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8365f88)
#21 0x835c3b8 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835c3b8)
#22 0x835b9a0 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x835b9a0)
#23 0x8167d02 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8167d02)
#24 0x8167652 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8167652)
#25 0x815a245 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x815a245)
#26 0x8137a38 (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x8137a38)
#27 0x813192f (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x813192f)
#28 0xf726c636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#29 0x806246b (/home/cx/pdfium/pdfium/out/test/pdfium_test+0x806246b)
Did this work before? N/A
Chrome version: Channel: n/a
OS Version:
Flash Version:
,
Dec 27 2017
,
Dec 27 2017
,
Dec 28 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5803575195467776.
,
Dec 28 2017
Since this is a NULL-dereference, there shouldn't be security implications.
,
Dec 29 2017
Hi, Will this issue be assigned a CVE number?
,
Dec 31 2017
No, because this is not a security issue.
,
Jan 3 2018
Does not repro for me building from tip-of-tree in either Linux or Windows. I'm confused as to what platform this is for, since the user agent says "Windows" but the rest looks like Linux. On Windows I can't execute the instructions to the letter because the provided args.gn does not work. "Sanitizers (is_*san) require setting is_clang = true [...]" Tried to reproduce after adding this flag. Also tried both with and without allocator_may_return_null. Can you confirm the OS?
,
Jan 4 2018
OS: Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial Arch: x86_64
,
Jan 4 2018
So the POC takes a long time to run here (~40s with asan) but does not cause a SEGV, just renders.
,
Jan 5 2018
Maybe you can try target_cpu = "x86".It does not crash on "x64".
,
Jan 5 2018
Thank you, got it now. I had tried x86 on Windows but not on Linux. Confirmed the bug on Linux.
,
Jan 19 2018
sycc422_to_rgb() is trying to allocate a lot of memory here: int* r = static_cast<int*>(opj_image_data_alloc(max_size.ValueOrDie())); int* g = static_cast<int*>(opj_image_data_alloc(max_size.ValueOrDie())); int* b = static_cast<int*>(opj_image_data_alloc(max_size.ValueOrDie())); max_size is 570,490,880, which is 4 bytes/int * 128 (maxw) * 1,114,240 (maxh). There are three sequential allocations so the total requested is 1,711,472,640 bytes. This image size doesn't break the int_max limit, but it's unreasonably high. Should we just add a hard limit for jpx, say 4096x4096? What have we been doing with these cases when the file specifies huge image dimensions?
,
Jan 30 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/b68a2b7efa732efc00aed4bbc0e58fd7fa4e8c29 commit b68a2b7efa732efc00aed4bbc0e58fd7fa4e8c29 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Tue Jan 30 19:37:11 2018 Check if opj_image_data_alloc returned null. Bug: chromium:797726 Change-Id: Ib13d5a4a78de462f1257f1103728f2a4111cb916 Reviewed-on: https://pdfium-review.googlesource.com/24510 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> [modify] https://crrev.com/b68a2b7efa732efc00aed4bbc0e58fd7fa4e8c29/core/fxcodec/codec/fx_codec_jpx_opj.cpp
,
Jan 30 2018
,
Feb 8 2018
,
May 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by cdsrc2...@gmail.com
, Dec 27 2017