pdfium: stack-overflow in v_Load
Reported by
pdk...@gmail.com,
Apr 2 2018
|
|||||||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.70 Safari/537.36
Steps to reproduce the problem:
ASAN just SIGSEGVs on this, without any output.
Program received signal SIGSEGV, Segmentation fault.
0x00000000004ca071 in __interceptor_memcpy ()
at llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:792
792 COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, dst, src, size);
(gdb) bt
...
#14 0x000000000080c825 in v_Load () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:830
#15 0x00000000007c0f98 in Load () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:466
#16 0x000000000080da5e in FindAlternateProfile () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:952
#17 0x000000000080c825 in v_Load () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:830
#18 0x00000000007c0f98 in Load () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:466
#19 0x000000000080da5e in FindAlternateProfile () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:952
#20 0x000000000080c825 in v_Load () at ./../../core/fpdfapi/page/cpdf_colorspace.cpp:830
...
And there are about 10K+ more of these.
This is similar to the following bug, except that the ICC based profile references itself, rather than two profiles referencing each other.
https://pdfium.googlesource.com/pdfium/+/ce9ad1bee792856c2d9e940ecffff97145e18d32
Like this.
4 0 obj
<< /Length 3 /N 1 /Alternate 5 0 R >>
stream
BUG
endstream
endobj
5 0 obj
[/ICCBased 4 0 R]
endobj
What is the expected behavior?
What went wrong?
^
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? No
Did this work before? No
Chrome version: 66.0.3359.70 Channel: beta
OS Version: Ubuntu 14.04
Flash Version:
,
Apr 3 2018
More ICC loader fun ....
,
Apr 3 2018
Can you provide a sample pdf that triggers this?
,
Apr 4 2018
For some reason, ASAN reported the stack-overflow in another attempt. Maybe as I switched to libc++.
==11599==ERROR: AddressSanitizer: stack-overflow on address 0x7ffde4b6fbd8 (pc 0x0000004c9081 bp 0x7ffde4b70440 sp 0x7ffde4b6fbe0 T0)
...
#16 0x80c04d in (anonymous namespace)::CPDF_ICCBasedCS::FindAlternateProfile(CPDF_Document*, CPDF_Dictionary*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*, unsigned int) ../../core/fpdfapi/page/cpdf_colorspace.cpp:952:19
#17 0x80ae14 in (anonymous namespace)::CPDF_ICCBasedCS::v_Load(CPDF_Document*, CPDF_Array*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*) ../../core/fpdfapi/page/cpdf_colorspace.cpp:830:8
#18 0x7bf687 in CPDF_ColorSpace::Load(CPDF_Document*, CPDF_Object*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*) ../../core/fpdfapi/page/cpdf_colorspace.cpp:466:29
#19 0x80c04d in (anonymous namespace)::CPDF_ICCBasedCS::FindAlternateProfile(CPDF_Document*, CPDF_Dictionary*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*, unsigned int) ../../core/fpdfapi/page/cpdf_colorspace.cpp:952:19
#20 0x80ae14 in (anonymous namespace)::CPDF_ICCBasedCS::v_Load(CPDF_Document*, CPDF_Array*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*) ../../core/fpdfapi/page/cpdf_colorspace.cpp:830:8
#21 0x7bf687 in CPDF_ColorSpace::Load(CPDF_Document*, CPDF_Object*, std::__1::set<CPDF_Object*, std::__1::less<CPDF_Object*>, std::__1::allocator<CPDF_Object*> >*) ../../core/fpdfapi/page/cpdf_colorspace.cpp:466:29
...
,
Apr 5 2018
Thanks for the bug report. Is the sample PDF for this bug handcrafted? Can we add it to our public test PDF repo?
,
Apr 5 2018
Originally yes, but then libFuzz minimized it to what I attached. So you can.
,
Apr 8 2018
,
Apr 11 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/b92ec18fdccd196035e02f3232c0b730637ac815 commit b92ec18fdccd196035e02f3232c0b730637ac815 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Wed Apr 11 21:55:49 2018 Fix crash when ColorSpace references itself directly. Also fixes any problems with cycles between colorspaces. Past fixes have solved problems with CPDF_DocPageData::GetColorSpace() calling itself and CPDF_DocPageData::GetColorSpace() calling CPDF_ColorSpace::Load() and vice versa. They have not solved CPDF_ColorSpace::Load() calling itself. This CL repurposes the |pVisited| set to ensure CPDF_ColorSpace::Load() does not try to load a colorspace as a dependency of itself and creates |pVisitedLocal| to ensure CPDF_DocPageData::GetColorSpace() does not create a similar circular dependency not involving CPDF_ColorSpace::Load(). Bug: chromium:828206 Change-Id: Ib2d0ec494be169135607f3651e0f70627b26ebd7 Reviewed-on: https://pdfium-review.googlesource.com/29810 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> [add] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp [modify] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/core/fpdfapi/page/cpdf_docpagedata.cpp [add] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/testing/resources/bug_828206.pdf [modify] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/core/fpdfapi/page/cpdf_colorspace.cpp [modify] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/BUILD.gn [modify] https://crrev.com/b92ec18fdccd196035e02f3232c0b730637ac815/core/fpdfapi/page/cpdf_docpagedata.h
,
Apr 11 2018
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b45464bb8cd14b468d28e6cb80cd207441baf5c9 commit b45464bb8cd14b468d28e6cb80cd207441baf5c9 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Thu Apr 12 06:25:13 2018 Roll src/third_party/pdfium/ 6bebd2e3c..87b67f842 (8 commits) https://pdfium.googlesource.com/pdfium.git/+log/6bebd2e3cfb7..87b67f842fe5 $ git log 6bebd2e3c..87b67f842 --date=short --no-merges --format='%ad %ae %s' 2018-04-11 tsepez Remove CFX_DIBAttribute::m_strAuthor 2018-04-11 hnakashima Fix crash when ColorSpace references itself directly. 2018-04-11 tsepez Fix issues with PDFium third_party/base/span.h 2018-04-11 tsepez Remove use of GetBuffer()/ReleaseBuffer() when c_str() is sufficient. 2018-04-11 tsepez Make cxfa_fmlexer.cpp resilient to null strings 2018-04-11 tsepez Fix trailing whitespace handling in CPDF_StreamParser::ReadInlineStream() 2018-04-11 rharrison Reserve space to reduce memory operations while encoding barcode 2018-04-11 rharrison Add documentation about Valgrind LLD workaround Created with: roll-dep src/third_party/pdfium BUG= chromium:828206 , chromium:831498 , chromium:802242 , chromium:830706 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I7134510b37a0aab373bdff663020825afe63436f Reviewed-on: https://chromium-review.googlesource.com/1008962 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#550047} [modify] https://crrev.com/b45464bb8cd14b468d28e6cb80cd207441baf5c9/DEPS |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by jmukthavaram@chromium.org
, Apr 3 2018Labels: Needs-Feedback Needs-Triage-M66