segmentation fault in CompareCharsUnsigned
Reported by
zhouzhen...@gmail.com,
Feb 5 2018
|
||||||
Issue descriptionVULNERABILITY DETAILS This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test with XFA disabled. VERSION Operating System: Fedora 27 x86_64 Chrome: asan-linux-stable-63.0.3239.84 https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/linux-release%2Fasan-linux-stable-63.0.3239.84.zip REPRODUCTION CASE ASAN_OPTIONS=abort_on_error=1 gdb -args ~/research/asan-linux-stable-63.0.3239.84/pdfium_test /tmp/SEGV-poc Rendering PDF file /tmp/SEGV-poc. Unsupported feature: XFA. Thread 1 "pdfium_test" received signal SIGSEGV, Segmentation fault. 0x00000000009d0f4f in memcmp () (gdb) bt #0 0x00000000009d0f4f in memcmp () #1 0x0000000001adf5c1 in CompareCharsUnsigned<unsigned char, unsigned char> () at ../../v8/src/utils.h:677 #2 0x0000000001adf5c1 in CompareChars<unsigned char, unsigned char> () at ../../v8/src/utils.h:694 #3 0x0000000001adf5c1 in CompareRawStringContents<unsigned char> () at ../../v8/src/objects.cc:11198 #4 0x0000000001adf5c1 in SlowEquals() () at ../../v8/src/objects.cc:11388 #5 0x0000000001b11de9 in IsMatch () at ../../v8/src/objects/compilation-cache.h:19 #6 0x0000000001b11de9 in FindEntry () at ../../v8/src/objects-inl.h:2447 #7 0x0000000001b11de9 in FindEntry () at ../../v8/src/objects-inl.h:2427 #8 0x0000000001b11de9 in FindEntry () at ../../v8/src/objects-inl.h:2422 #9 0x0000000001b11de9 in LookupScript() () at ../../v8/src/objects.cc:17188 #10 0x0000000000f836d8 in Lookup() () at ../../v8/src/compilation-cache.cc:138 #11 0x0000000000f85a64 in LookupScript() () at ../../v8/src/compilation-cache.cc:273 #12 0x0000000000fb0d25 in GetSharedFunctionInfoForScript() () at ../../v8/src/compiler.cc:1244 #13 0x0000000000d042b1 in CompileUnboundInternal() () at ../../v8/src/api.cc:2331 #14 0x0000000000d05c07 in Compile() () at ../../v8/src/api.cc:2389 #15 0x0000000000d064e1 in Compile() () at ../../v8/src/api.cc:2669 #16 0x0000000002c5f403 in Execute() () at ../../third_party/pdfium/fxjs/fxjs_v8.cpp:468 #17 0x0000000002b914f0 in CJS_Runtime::ExecuteScript(fxcrt::WideString const&, fxcrt::WideString*) () at ../../third_party/pdfium/fpdfsdk/javascript/cjs_runtime.cpp:198 #18 0x0000000002c1d1ee in RunScript() () at ../../third_party/pdfium/fpdfsdk/javascript/cjs_event_context.cpp:52 #19 0x00000000024fe40c in OnFormat() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:301 #20 0x00000000024f625a in OnFormat() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_widget.cpp:792 #21 0x00000000024f335b in OnLoad() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_widgethandler.cpp:234 #22 0x00000000024e37ce in LoadFXAnnots() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_pageview.cpp:469 #23 0x0000000002507464 in GetPageView() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:562 #24 0x00000000024df728 in FormHandleToPageView () at ../../third_party/pdfium/fpdfsdk/fpdfformfill.cpp:65 #25 0x00000000024df728 in FORM_OnAfterLoadPage() () at ../../third_party/pdfium/fpdfsdk/fpdfformfill.cpp:690 #26 0x0000000000a90144 in GetPageForIndex() () at ../../third_party/pdfium/samples/pdfium_test.cc:995 #27 0x0000000002507630 in GetPage () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:649 #28 0x0000000002507630 in GetPageView() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_formfillenvironment.cpp:573 #29 0x00000000024fca3e in GetWidget() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:104 #30 0x000000000250245e in ResetFieldAppearance () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:319 #31 0x000000000250245e in AfterSelectionChange() () at ../../third_party/pdfium/fpdfsdk/cpdfsdk_interform.cpp:651 #32 0x000000000288af4d in ResetField() () at ../../third_party/pdfium/core/fpdfdoc/cpdf_formfield.cpp:954 #33 0x0000000002897df6 in ResetForm() () at ../../third_party/pdfium/core/fpdfdoc/cpdf_interform.cpp:988 Testcase is in the attachment.
,
Feb 5 2018
,
Feb 5 2018
Looks to be stack exhaustion either with or without XFA, thousands of frames that recurse into themselves like:
#686 0x0000000001534ee8 in FORM_DoPageAAction (page=0x240e950, hHandle=0x1ed1770, aaType=0)
at ../../fpdfsdk/fpdfformfill.cpp:831
#687 0x0000000000798c50 in (anonymous namespace)::GetPageForIndex (param=0x7fffffffcb40, doc=0x1ec7440, index=1)
at ../../samples/pdfium_test.cc:996
#688 0x0000000001560196 in CPDFSDK_FormFillEnvironment::GetPage (this=0x1ed1770, nIndex=1)
at ../../fpdfsdk/cpdfsdk_formfillenvironment.cpp:649
#689 0x000000000155feb1 in CPDFSDK_FormFillEnvironment::GetPageView (this=0x1ed1770, nIndex=1)
at ../../fpdfsdk/cpdfsdk_formfillenvironment.cpp:573
#690 0x00000000015552e5 in CPDFSDK_InterForm::GetWidget (this=0x1ed78a0, pControl=0x1ed5920)
at ../../fpdfsdk/cpdfsdk_interform.cpp:134
#691 0x0000000001556081 in CPDFSDK_InterForm::ResetFieldAppearance (this=0x1ed78a0, pFormField=0x1ed6710, sValue=0x0,
bValueChanged=true) at ../../fpdfsdk/cpdfsdk_interform.cpp:348
#692 0x0000000001558ac1 in CPDFSDK_InterForm::AfterSelectionChange (this=0x1ed78a0, pField=0x1ed6710)
at ../../fpdfsdk/cpdfsdk_interform.cpp:669
#693 0x00000000017e7307 in CPDF_FormField::NotifyAfterSelectionChange (this=0x1ed6710)
at ../../core/fpdfdoc/cpdf_formfield.cpp:937
#694 0x00000000017e5dfc in CPDF_FormField::NotifyListOrComboBoxAfterChange (this=0x1ed6710)
at ../../core/fpdfdoc/cpdf_formfield.cpp:966
#695 0x00000000017e39a5 in CPDF_FormField::ResetField (this=0x1ed6710, bNotify=true)
at ../../core/fpdfdoc/cpdf_formfield.cpp:192
#696 0x00000000017ecb36 in CPDF_InterForm::ResetForm (this=0x1ec8160, fields=..., bIncludeOrExclude=false, bNotify=true)
at ../../core/fpdfdoc/cpdf_interform.cpp:914
#697 0x000000000155882c in CPDFSDK_InterForm::DoAction_ResetForm (this=0x1ed78a0, action=...)
at ../../fpdfsdk/cpdfsdk_interform.cpp:607
#698 0x00000000015719fe in CPDFSDK_ActionHandler::DoAction_ResetForm (this=0x1ed7d10, action=..., pFormFillEnv=0x1ed1770)
at ../../fpdfsdk/fsdk_actionhandler.cpp:522
#699 0x0000000001570b62 in CPDFSDK_ActionHandler::DoAction_NoJs (this=0x1ed7d10, action=..., pFormFillEnv=0x1ed1770)
at ../../fpdfsdk/fsdk_actionhandler.cpp:333
#700 0x000000000156f7a2 in CPDFSDK_ActionHandler::ExecuteDocumentPageAction (this=0x1ed7d10, action=...,
type=CPDF_AAction::OpenPage, pFormFillEnv=0x1ed1770, visited=0x7fffff825ad8) at ../../fpdfsdk/fsdk_actionhandler.cpp:193
#701 0x000000000156f552 in CPDFSDK_ActionHandler::DoAction_Page (this=0x1ed7d10, action=..., eType=CPDF_AAction::OpenPage,
pFormFillEnv=0x1ed1770) at ../../fpdfsdk/fsdk_actionhandler.cpp:68
#702 0x0000000001534ee8 in FORM_DoPageAAction (page=0x240e140, hHandle=0x1ed1770, aaType=0)
at ../../fpdfsdk/fpdfformfill.cpp:831
,
Feb 5 2018
So just an ordinary crash, not a security issue per-se.
,
Feb 5 2018
Also, apppears the infinite recursion is through the test harness at ../../samples/pdfium_test.cc:996, DNR under chrome itself.
,
Feb 5 2018
Maybe pdfium_test should set a good example then? https://pdfium-review.googlesource.com/25511
,
Feb 6 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/8e53c8c8e19a1f40d90f47068c7dd7ee6ffa275d commit 8e53c8c8e19a1f40d90f47068c7dd7ee6ffa275d Author: Lei Zhang <thestig@chromium.org> Date: Tue Feb 06 00:18:12 2018 Fix an infinite recursion in pdfium_test. Mark pages as loaded before calling FORM_DoPageAAction(). BUG= chromium:808898 Change-Id: I82c481ba759842ea794b5578120101465b37f16a Reviewed-on: https://pdfium-review.googlesource.com/25511 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> [modify] https://crrev.com/8e53c8c8e19a1f40d90f47068c7dd7ee6ffa275d/samples/pdfium_test.cc
,
Feb 6 2018
,
Feb 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/05e1f89eef2295c0db4bec845ff32b76f2df06a6 commit 05e1f89eef2295c0db4bec845ff32b76f2df06a6 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed Feb 07 18:13:38 2018 Roll src/third_party/pdfium/ 1ea9f3f92..b3a3eaab0 (27 commits) https://pdfium.googlesource.com/pdfium.git/+log/1ea9f3f92f25..b3a3eaab0471 $ git log 1ea9f3f92..b3a3eaab0 --date=short --no-merges --format='%ad %ae %s' 2018-02-07 dsinclair Revert "[v8-platform] Store the platform in a unique_ptr" 2018-02-07 thestig More GetPageNumbers() clean up in fpdf_ppo.cpp. 2018-02-06 xlou Change MakeXObject to update reference from the root of the source page. 2018-02-06 rharrison Use temporary iterator to avoid potential OOB 2018-02-06 hnakashima Fix caret not appearing in XFA Edits. 2018-02-06 tsepez Avoid needless malloc for v8:Global array. 2018-02-06 tsepez Remove unused FreeObjectPrivate() overload. 2018-02-06 reed IWYU 2018-02-06 dsinclair Make the CXFA_Node parent pointer Unowned 2018-02-06 rharrison Break unneeded dep on Bmp codec in Gif codec 2018-02-06 rharrison Account for skip size before getting image ifh size 2018-02-06 rharrison Extract classes in fx_bmp.h into their own files 2018-02-06 rharrison Convert BMP class name style to match other codecs 2018-02-06 rharrison Move core/fxcodec/lbmp/ -> core/fxcodec/bmp/ 2018-02-06 rharrison Changing the member naming style in BMPDecompressor 2018-02-06 thestig Fix an infinite recursion in pdfium_test. 2018-02-06 xlou Add rendering embeddertests for FPDF_ImportNPagesToOne. 2018-02-05 hnakashima Limit dest buffer to 1GB in FlateOrLZWDecode. 2018-02-05 dsinclair Fold CJS_EmbedObj classes into CJS_Object classes 2018-02-05 dsinclair Remove the CJS_EmbedObj template param from JSConstructor. 2018-02-05 thestig Make EmbedderTest class member style consistent. 2018-02-05 thestig Fix testing.cpp build with v8_use_external_startup_data=false. 2018-02-05 tsepez Use unique pointer in CFXJS_PerObjectData. 2018-02-05 thestig Fix some formcalc constant naming. 2018-02-05 ahaas [v8-platform] Store the platform in a unique_ptr 2018-02-05 thestig Add FPDFAnnotationDeleter for use with std::unique_ptr. 2018-02-05 dsinclair [XFA] dot_accessor may not provide a valid object. Created with: roll-dep src/third_party/pdfium BUG=648177, 808336 , 808336 , 808336 , 808336 , 808336 , 808898 , 808269 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I1ce04168b70e67d18145e08378a12f571727c4f9 Reviewed-on: https://chromium-review.googlesource.com/906916 Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#535062} [modify] https://crrev.com/05e1f89eef2295c0db4bec845ff32b76f2df06a6/DEPS |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by tsepez@chromium.org
, Feb 5 2018Status: Assigned (was: Unconfirmed)