stack-overflow in CPDF_Function::Load
Reported by
pdk...@gmail.com,
Apr 8 2018
|
||||
Issue description
Chrome Version: 66.0.3359.70
OS Version: Ubuntu 14.04
==14060==ERROR: AddressSanitizer: stack-overflow on address 0x7fff4cfb3f18 (pc 0x0000004c9201 bp 0x7fff4cfb4780 sp 0x7fff4cfb3f20 T0)
...
#15 0x7dc1dd in CPDF_Function::Load(CPDF_Object*) ../../core/fpdfapi/page/cpdf_function.cpp:40:25
#16 0x82b96c in CPDF_StitchFunc::v_Init(CPDF_Object*) ../../core/fpdfapi/page/cpdf_stitchfunc.cpp:45:42
#17 0x7dd520 in CPDF_Function::Init(CPDF_Object*) ../../core/fpdfapi/page/cpdf_function.cpp:92:8
#18 0x7dc1dd in CPDF_Function::Load(CPDF_Object*) ../../core/fpdfapi/page/cpdf_function.cpp:40:25
...
This happens with two FunctionType 3 functions referencing each other.
6 0 obj
<< /FunctionType 3 /Domain [0 1] /Functions [7 0 R] >>
endobj
7 0 obj
<< /FunctionType 3 /Domain [0 1] /Functions [6 0 R] >>
endobj
,
Apr 9 2018
,
Apr 11 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/6bebd2e3cfb7790580722836d0debab3103c94d0 commit 6bebd2e3cfb7790580722836d0debab3103c94d0 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Wed Apr 11 00:13:36 2018 Avoid stack overflow when loading CPDF_Function. CPDF_StitchFuncs that reference each other create a Load() loop. Maintaining a set of the visited CPDF_Objects during a Load() call tree prevents that. Bug: chromium:830221 Change-Id: I6f494da16c6d79f05870ff85cff38ff8fe69ecfe Reviewed-on: https://pdfium-review.googlesource.com/30050 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_sampledfunc.cpp [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_psfunc.h [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_function.cpp [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_function.h [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_stitchfunc.h [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_stitchfunc.cpp [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_expintfunc.cpp [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_expintfunc.h [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_psfunc.cpp [modify] https://crrev.com/6bebd2e3cfb7790580722836d0debab3103c94d0/core/fpdfapi/page/cpdf_sampledfunc.h
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ff4cbba00a2f6f40c62e3c64526e860d995cd2e1 commit ff4cbba00a2f6f40c62e3c64526e860d995cd2e1 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed Apr 11 08:08:14 2018 Roll src/third_party/pdfium/ 4027887ee..6bebd2e3c (10 commits) https://pdfium.googlesource.com/pdfium.git/+log/4027887ee29a..6bebd2e3cfb7 $ git log 4027887ee..6bebd2e3c --date=short --no-merges --format='%ad %ae %s' 2018-04-11 hnakashima Avoid stack overflow when loading CPDF_Function. 2018-04-10 thestig Add static_asserts for FX_RECT and FX_COLORREF. 2018-04-10 thestig Load CIDToGIDMap stream for CID fonts if it exists. 2018-04-10 rharrison Roll DEPS for Clang and build 2018-04-10 rharrison Add an assert to make sure all code is included in static lib 2018-04-10 thestig Remove CFX_Rect. 2018-04-10 thestig Change CFX_RenderDevice::FillRect() to take FX_RECT by const-ref. 2018-04-10 thestig Change FillRectWithBlend methods to take FX_RECT by const-ref. 2018-04-10 hnakashima Implement CPDFSDK_XFAWidgetHandler::OnKillFocus. 2018-04-10 hnakashima Break down CXFA_FFWidget::On{L|R}ButtonDown() into two steps. Created with: roll-dep src/third_party/pdfium BUG= chromium:830221 , chromium:813705 , chromium:820256 , chromium:820256 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: Iae9f069e452471eac037e59354fa106060058af5 Reviewed-on: https://chromium-review.googlesource.com/1005962 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#549817} [modify] https://crrev.com/ff4cbba00a2f6f40c62e3c64526e860d995cd2e1/DEPS
,
Apr 11 2018
,
Apr 11 2018
Can I add chromium-830221.pdf to the repo as a test as well?
,
Apr 13 2018
Sure.
,
Apr 13 2018
Great, thank you! https://pdfium-review.googlesource.com/c/pdfium/+/30671
,
Apr 13 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/97b47dc407e772a82782d5d64de5560992df2bf9 commit 97b47dc407e772a82782d5d64de5560992df2bf9 Author: Henrique Nakashima <hnakashima@chromium.org> Date: Fri Apr 13 20:04:27 2018 Add test for circular CPDF_Function::Load(). Bug: chromium:830221 Change-Id: Ia96086a1b930600a4fb9054123c867d1c8b301eb Reviewed-on: https://pdfium-review.googlesource.com/30671 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> [modify] https://crrev.com/97b47dc407e772a82782d5d64de5560992df2bf9/BUILD.gn [add] https://crrev.com/97b47dc407e772a82782d5d64de5560992df2bf9/testing/resources/bug_830221.pdf [add] https://crrev.com/97b47dc407e772a82782d5d64de5560992df2bf9/core/fpdfapi/page/cpdf_function_embeddertest.cpp
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/741fa132890291513a192ba7d4e1ff96fd39de72 commit 741fa132890291513a192ba7d4e1ff96fd39de72 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Fri Apr 13 23:05:59 2018 Roll src/third_party/pdfium/ 996c93068..b71d24c1a (8 commits) https://pdfium.googlesource.com/pdfium.git/+log/996c93068bfc..b71d24c1affe $ git log 996c93068..b71d24c1a --date=short --no-merges --format='%ad %ae %s' 2018-04-13 thestig Patch lcms to mark data structures as const. 2018-04-13 npm Fix integer overflow in CPDF_Font::FallbackFontFromCharcode 2018-04-13 hnakashima Add test for circular CPDF_Function::Load(). 2018-04-13 thestig Add CPDF_ColorState::SetPattern(). 2018-04-13 thestig Get rid of CPDF_Color::GetColorSpace(). 2018-04-13 dsinclair Add CPDF_Metadata unittests 2018-04-13 dsinclair Hide XML parsing inside CXFA_XMLLocale 2018-04-13 dsinclair Move SharedForm check to CPDF_Metadata class Created with: roll-dep src/third_party/pdfium BUG= chromium:831583 , chromium:830221 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I5cd3fc28ca70459b9d57cf025cd02fba8e5d81cc Reviewed-on: https://chromium-review.googlesource.com/1013045 Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#550775} [modify] https://crrev.com/741fa132890291513a192ba7d4e1ff96fd39de72/DEPS
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/741fa132890291513a192ba7d4e1ff96fd39de72 commit 741fa132890291513a192ba7d4e1ff96fd39de72 Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Fri Apr 13 23:05:59 2018 Roll src/third_party/pdfium/ 996c93068..b71d24c1a (8 commits) https://pdfium.googlesource.com/pdfium.git/+log/996c93068bfc..b71d24c1affe $ git log 996c93068..b71d24c1a --date=short --no-merges --format='%ad %ae %s' 2018-04-13 thestig Patch lcms to mark data structures as const. 2018-04-13 npm Fix integer overflow in CPDF_Font::FallbackFontFromCharcode 2018-04-13 hnakashima Add test for circular CPDF_Function::Load(). 2018-04-13 thestig Add CPDF_ColorState::SetPattern(). 2018-04-13 thestig Get rid of CPDF_Color::GetColorSpace(). 2018-04-13 dsinclair Add CPDF_Metadata unittests 2018-04-13 dsinclair Hide XML parsing inside CXFA_XMLLocale 2018-04-13 dsinclair Move SharedForm check to CPDF_Metadata class Created with: roll-dep src/third_party/pdfium BUG= chromium:831583 , chromium:830221 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: I5cd3fc28ca70459b9d57cf025cd02fba8e5d81cc Reviewed-on: https://chromium-review.googlesource.com/1013045 Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#550775} [modify] https://crrev.com/741fa132890291513a192ba7d4e1ff96fd39de72/DEPS |
||||
►
Sign in to add a comment |
||||
Comment 1 by pdk...@gmail.com
, Apr 8 2018340 bytes
340 bytes Download