New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 833721 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: PDFium heap-buffer-overflow WRITE in CPDF_ExpIntFunc::v_Call

Reported by zhouat2...@gmail.com, Apr 17 2018

Issue description

VULNERABILITY DETAILS


heap-buffer-overflow WRITE of size 4 in CPDF_ExpIntFunc::v_Call(float*, float*) const core/fpdfapi/page/cpdf_expintfunc.cpp:55:39

=================================================================
==24517==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000d884 at pc 0x000000e81b65 bp 0x7ffeee6c0380 sp 0x7ffeee6c0378
WRITE of size 4 at 0x60700000d884 thread T0
    #0 0xe81b64 in CPDF_ExpIntFunc::v_Call(float*, float*) const core/fpdfapi/page/cpdf_expintfunc.cpp:55:39
    #1 0xe7fa1e in CPDF_Function::Call(float*, unsigned int, float*, int*) const core/fpdfapi/page/cpdf_function.cpp:116:3
    #2 0x1195056 in (anonymous namespace)::DrawRadialShading(fxcrt::RetainPtr<CFX_DIBitmap> const&, CFX_Matrix*, CPDF_Dictionary*, std::__1::vector<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> >, std::__1::allocator<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> > > > const&, CPDF_ColorSpace*, int) core/fpdfapi/render/cpdf_renderstatus.cpp:233:19
    #3 0x1190807 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern const*, CFX_Matrix*, FX_RECT&, int, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2133:7
    #4 0x119aaa8 in CPDF_RenderStatus::DrawShadingPattern(CPDF_ShadingPattern*, CPDF_PageObject const*, CFX_Matrix const*, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2197:3
    #5 0x119fc46 in CPDF_RenderStatus::DrawPathWithPattern(CPDF_PathObject*, CFX_Matrix const*, CPDF_Color const*, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2421:5
    #6 0x117f910 in CPDF_RenderStatus::ProcessPathPattern(CPDF_PathObject*, CFX_Matrix const*, int*, bool*) core/fpdfapi/render/cpdf_renderstatus.cpp:2434:7
    #7 0x117d806 in CPDF_RenderStatus::ProcessPath(CPDF_PathObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1311:3
    #8 0x117a4c0 in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1198:14
    #9 0x117acc9 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) core/fpdfapi/render/cpdf_renderstatus.cpp:1151:5
    #10 0x116bced in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #11 0x1169d43 in CPDF_ProgressiveRenderer::Start(PauseIndicatorIface*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:44:3
    #12 0xbe8fbd in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IPDFSDK_PauseAdapter*) fpdfsdk/fpdf_view.cpp:124:26
    #13 0xbe5f61 in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IPDFSDK_PauseAdapter*) fpdfsdk/fpdf_view.cpp:902:3
    #14 0xbdbdf4 in FPDF_RenderPageBitmap_Start fpdfsdk/fpdf_progressive.cpp:60:3
    #15 0x8f8b43 in (anonymous namespace)::RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*, (anonymous namespace)::FPDF_FORMFILLINFO_PDFiumTest*, int, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:543:16
    #16 0x8f301f in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:741:9
    #17 0x8e6508 in main samples/pdfium_test.cc:902:5
    #18 0x7f8ebe35682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

0x60700000d884 is located 0 bytes to the right of 68-byte region [0x60700000d840,0x60700000d884)
allocated by thread T0 here:
    #0 0x8b3373 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0xaf200f in pdfium::base::PartitionAllocGenericFlags(pdfium::base::PartitionRootGeneric*, int, unsigned long, char const*) third_party/base/allocator/partition_allocator/partition_alloc.h:790:18
    #2 0xaf1e14 in FX_SafeAlloc(unsigned long, unsigned long) core/fxcrt/fx_memory.h:46:18
    #3 0xaf121c in FX_AllocOrDie(unsigned long, unsigned long) core/fxcrt/fx_memory.h:67:18
    #4 0xdd4ab5 in CFX_FixedBufGrow<float, 16>::CFX_FixedBufGrow(int) core/fxcrt/cfx_fixedbufgrow.h:19:25
    #5 0x119496a in (anonymous namespace)::DrawRadialShading(fxcrt::RetainPtr<CFX_DIBitmap> const&, CFX_Matrix*, CPDF_Dictionary*, std::__1::vector<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> >, std::__1::allocator<std::__1::unique_ptr<CPDF_Function, std::__1::default_delete<CPDF_Function> > > > const&, CPDF_ColorSpace*, int) core/fpdfapi/render/cpdf_renderstatus.cpp:223:31
    #6 0x1190807 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern const*, CFX_Matrix*, FX_RECT&, int, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2133:7
    #7 0x119aaa8 in CPDF_RenderStatus::DrawShadingPattern(CPDF_ShadingPattern*, CPDF_PageObject const*, CFX_Matrix const*, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2197:3
    #8 0x119fc46 in CPDF_RenderStatus::DrawPathWithPattern(CPDF_PathObject*, CFX_Matrix const*, CPDF_Color const*, bool) core/fpdfapi/render/cpdf_renderstatus.cpp:2421:5
    #9 0x117f910 in CPDF_RenderStatus::ProcessPathPattern(CPDF_PathObject*, CFX_Matrix const*, int*, bool*) core/fpdfapi/render/cpdf_renderstatus.cpp:2434:7
    #10 0x117d806 in CPDF_RenderStatus::ProcessPath(CPDF_PathObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1311:3
    #11 0x117a4c0 in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject*, CFX_Matrix const*) core/fpdfapi/render/cpdf_renderstatus.cpp:1198:14
    #12 0x117acc9 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) core/fpdfapi/render/cpdf_renderstatus.cpp:1151:5
    #13 0x116bced in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #14 0x1169d43 in CPDF_ProgressiveRenderer::Start(PauseIndicatorIface*) core/fpdfapi/render/cpdf_progressiverenderer.cpp:44:3
    #15 0xbe8fbd in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IPDFSDK_PauseAdapter*) fpdfsdk/fpdf_view.cpp:124:26
    #16 0xbe5f61 in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, void*, int, int, int, int, int, int, bool, IPDFSDK_PauseAdapter*) fpdfsdk/fpdf_view.cpp:902:3
    #17 0xbdbdf4 in FPDF_RenderPageBitmap_Start fpdfsdk/fpdf_progressive.cpp:60:3
    #18 0x8f8b43 in (anonymous namespace)::RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void*, void*, (anonymous namespace)::FPDF_FORMFILLINFO_PDFiumTest*, int, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:543:16
    #19 0x8f301f in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:741:9
    #20 0x8e6508 in main samples/pdfium_test.cc:902:5
    #21 0x7f8ebe35682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow core/fpdfapi/page/cpdf_expintfunc.cpp:55:39 in CPDF_ExpIntFunc::v_Call(float*, float*) const
Shadow bytes around the buggy address:
  0x0c0e7fff9ac0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e7fff9ad0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
  0x0c0e7fff9ae0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0e7fff9af0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9b00: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fff9b10:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24517==ABORTING


VERSION:
asan-linux-beta-66.0.3359.106


REPRODUCTION CASE:
testcase-002921_OOB_write
 
testcase-002921_OOB_write
906 KB View Download

Comment 1 by tsepez@chromium.org, Apr 17 2018

Labels: M-66 Security_Severity-High Pri-1
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by tsepez@chromium.org, Apr 17 2018

Cc: dsinclair@chromium.org
Owner: thestig@chromium.org
Lei, could you take a look?  You were just poking around in here the other day ...
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 18 2018

Labels: Security_Impact-Stable
Components: Internals>Plugins>PDF
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Project Member

Comment 5 by ClusterFuzz, Apr 18 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6451397336498176.
Status: Started (was: Assigned)
https://pdfium-review.googlesource.com/c/pdfium/+/30992
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 18 2018

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/e06880f8eb984a48921f0560bd7ab4e055da432d

commit e06880f8eb984a48921f0560bd7ab4e055da432d
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Apr 18 22:59:32 2018

Fix integer overflow in shading drawing code.

BUG= chromium:833721 

Change-Id: I3ca878760c12144ef27a71dcbbfd7c18d12a5f3b
Reviewed-on: https://pdfium-review.googlesource.com/30992
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/e06880f8eb984a48921f0560bd7ab4e055da432d/core/fpdfapi/render/cpdf_renderstatus.cpp

Project Member

Comment 8 by bugdroid1@chromium.org, Apr 19 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1b7273d7a120c7e558287ce6878e8d96d40e3de7

commit 1b7273d7a120c7e558287ce6878e8d96d40e3de7
Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Thu Apr 19 01:25:21 2018

Roll src/third_party/pdfium/ fbecb9a51..e06880f8e (2 commits)

https://pdfium.googlesource.com/pdfium.git/+log/fbecb9a5150d..e06880f8eb98

$ git log fbecb9a51..e06880f8e --date=short --no-merges --format='%ad %ae %s'
2018-04-18 thestig Fix integer overflow in shading drawing code.
2018-04-18 tsepez Always build JS Runtime stubs even if V8 present.

Created with:
  roll-dep src/third_party/pdfium
BUG= chromium:833721 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: I5f24866aeca19c08d4e8f0459180c5b617263dc6
Reviewed-on: https://chromium-review.googlesource.com/1018119
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#551912}
[modify] https://crrev.com/1b7273d7a120c7e558287ce6878e8d96d40e3de7/DEPS

Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 19 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: awhalley@chromium.org
Labels: M-67
awhalley: The fix landed in 68.0.3401.0. Should we consider M66 and M67 merges?
Labels: Merge-Request-67
Thanks thesig@ - let's get this in M67 for now and look at 66 once it's been out in dev/beta for a bit
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 20 2018

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-67 Merge-Approved-67
Approving merge to M67 branch 3396 based on comment #12. Please merge ASAP. Thank you.
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 20 2018

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/a1666b8e536e90a4cc21787fe12c95e052454b6d

commit a1666b8e536e90a4cc21787fe12c95e052454b6d
Author: Lei Zhang <thestig@chromium.org>
Date: Fri Apr 20 22:42:54 2018

M67: Fix integer overflow in shading drawing code.

BUG= chromium:833721 
TBR=tsepez@chromium.org

Change-Id: I3ca878760c12144ef27a71dcbbfd7c18d12a5f3b
Reviewed-on: https://pdfium-review.googlesource.com/30992
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit e06880f8eb984a48921f0560bd7ab4e055da432d)
Reviewed-on: https://pdfium-review.googlesource.com/31131
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/a1666b8e536e90a4cc21787fe12c95e052454b6d/core/fpdfapi/render/cpdf_renderstatus.cpp

Labels: reward-topanel

Comment 17 Deleted

Comment 18 Deleted

Comment 19 Deleted

Labels: -reward-topanel reward-unpaid reward-5000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Very nicely done! The Chrome VRP panel decided to award $5,000 for this report.  Cheers!
A member of our finance team will be in touch to arrange payment.  Also, how would you like to be credited in Chrome Release notes?

Comment 23 Deleted

Labels: -reward-unpaid reward-inprocess
Labels: Merge-Request-66
abdulsyed@ - good for 66
How safe is this merge overall?
Should be fine. It mostly sanity checks a series of additions to make sure they don't overflow.
Labels: -Merge-Request-66 Merge-Approved-66
Ok great, and should be a clean merge to M66 as well, correct? Approving merge to M66 branch:3359.  
Cc: asweintraub@google.com
Clean merge to M66.
Project Member

Comment 30 by bugdroid1@chromium.org, May 8 2018

Labels: -merge-approved-66 merge-merged-3359
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/1e37088495505a646d7725a0991252ca45e90322

commit 1e37088495505a646d7725a0991252ca45e90322
Author: Lei Zhang <thestig@chromium.org>
Date: Tue May 08 22:27:21 2018

M66: Fix integer overflow in shading drawing code.

BUG= chromium:833721 
TBR=tsepez@chromium.org

Change-Id: I3ca878760c12144ef27a71dcbbfd7c18d12a5f3b
Reviewed-on: https://pdfium-review.googlesource.com/30992
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit e06880f8eb984a48921f0560bd7ab4e055da432d)
Reviewed-on: https://pdfium-review.googlesource.com/32195
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/1e37088495505a646d7725a0991252ca45e90322/core/fpdfapi/render/cpdf_renderstatus.cpp

Labels: Release-2-M66
Labels: CVE-2018-6120 CVE_description-missing

Comment 33 Deleted

Hi zhouat2017@ - will follow up over email.
Project Member

Comment 35 by sheriffbot@chromium.org, Jul 26

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment