Security: pdfium heap-use-after-free
Reported by
christia...@gmail.com,
Apr 27 2018
|
|||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Heap use after free in pdfium. VERSION pdfium_test commit 575f238334d13ab7bc7920eee23c108ef3b0bbed Date: Fri Apr 27 01:44:15 2018 +0000 REPRODUCTION CASE Open attached file. ADDITIONAL INFORMATION Rendering PDF file /workarea/samplestore/wip/pdfium/victory_todo/victory_00a34b38031fc7a5992c87c16f6c14e359deecd68b799b969198d6d158d0ea04.raw. LoadXFA unsuccessful, continuing anyway. Rendered 1 pages. ================================================================= ==29255==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000011a0 at pc 0x000003cbe216 bp 0x7fffffffd720 sp 0x7fffffffd718 READ of size 1 at 0x6070000011a0 thread T0 #0 0x3cbe215 in ProbeForLowSeverityLifetimeIssue /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/unowned_ptr.h:110 #1 0x3cbe215 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/unowned_ptr.h:63 #2 0x3cbe215 in Reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/maybe_owned.h:41 #3 0x3cbe215 in ResetIfUnowned /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/maybe_owned.h:47 #4 0x3cbe215 in ReleaseXMLNodeIfUnowned /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_node.cpp:545 #5 0x3cbe215 in ?? ??:0 #6 0x3d39131 in CXFA_NodeOwner::ReleaseXMLNodesIfNeeded() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_nodeowner.cpp:28 #7 0x3d39131 in ?? ??:0 #8 0x3823fcf in CXFA_FFDoc::CloseDoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:150 #9 0x3823fcf in ?? ??:0 #10 0x37bb902 in CloseXFADoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67 #11 0x37bb902 in ~CPDFXFA_Context /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49 #12 0x37bb902 in ?? ??:0 #13 0x37bc0fc in CPDFXFA_Context::~CPDFXFA_Context() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45 #14 0x37bc0fc in ?? ??:0 #15 0xbb8f31 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../public/cpp/fpdf_deleters.h:31 #16 0xbb8f31 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #17 0xbb8f31 in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588 #18 0xbb8f31 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:756 #19 0xbb8f31 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #20 0xbb8f31 in ?? ??:0 #21 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #22 0x7ffff6c0e82f in ?? ??:0 0x6070000011a0 is located 0 bytes inside of 80-byte region [0x6070000011a0,0x6070000011f0) freed by thread T0 here: #0 0xbaffa2 in operator delete(void*) _asan_rtl_ #1 0xbaffa2 in ?? ??:0 #2 0x2dba985 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #3 0x2dba985 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #4 0x2dba985 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #5 0x2dba985 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:33 #6 0x2dba985 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #7 0x2dba985 in ?? ??:0 #8 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #9 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #10 0x2dbd7a0 in ?? ??:0 #11 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #12 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #13 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #14 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #15 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #16 0x2dba897 in ?? ??:0 #17 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #18 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #19 0x2dbd7a0 in ?? ??:0 #20 0x3c46d0b in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #21 0x3c46d0b in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #22 0x3c46d0b in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588 #23 0x3c46d0b in ~CXFA_DocumentParser /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:328 #24 0x3c46d0b in ?? ??:0 #25 0x3824cf4 in CXFA_FFDoc::ParseDoc(CPDF_Object*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:69 #26 0x3824cf4 in ?? ??:0 #27 0x38255e9 in CXFA_FFDoc::OpenDoc(CPDF_Document*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:107 #28 0x38255e9 in ?? ??:0 #29 0x37bc9a6 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94 #30 0x37bc9a6 in ?? ??:0 #31 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259 #32 0x2987fcd in ?? ??:0 #33 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709 #34 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #35 0xbb7366 in ?? ??:0 #36 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #37 0x7ffff6c0e82f in ?? ??:0 previously allocated by thread T0 here: #0 0xbaf362 in operator new(unsigned long) _asan_rtl_ #1 0xbaf362 in ?? ??:0 #2 0x2dace3c in MakeUnique<CFX_XMLElement, fxcrt::WideString> /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../third_party/base/ptr_util.h:56 #3 0x2dace3c in Parse /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlparser.cpp:138 #4 0x2dace3c in ?? ??:0 #5 0x3c47574 in CXFA_DocumentParser::LoadXML(fxcrt::RetainPtr<IFX_SeekableStream> const&) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:355 #6 0x3c47574 in ?? ??:0 #7 0x3c46e65 in CXFA_DocumentParser::Parse(fxcrt::RetainPtr<IFX_SeekableStream> const&, XFA_PacketType) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:332 #8 0x3c46e65 in ?? ??:0 #9 0x3824a8f in CXFA_FFDoc::ParseDoc(CPDF_Object*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:63 #10 0x3824a8f in ?? ??:0 #11 0x38255e9 in CXFA_FFDoc::OpenDoc(CPDF_Document*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:107 #12 0x38255e9 in ?? ??:0 #13 0x37bc9a6 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94 #14 0x37bc9a6 in ?? ??:0 #15 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259 #16 0x2987fcd in ?? ??:0 #17 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709 #18 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #19 0xbb7366 in ?? ??:0 #20 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #21 0x7ffff6c0e82f in ?? ??:0 SUMMARY: AddressSanitizer: heap-use-after-free (/workarea/fuzz/bin/pdfium_asan/pdfium_test+0x3cbe215) Shadow bytes around the buggy address: 0x0c0e7fff81e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd 0x0c0e7fff81f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0e7fff8200: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd 0x0c0e7fff8210: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fff8220: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd =>0x0c0e7fff8230: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fa fa 0x0c0e7fff8240: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0e7fff8250: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 0x0c0e7fff8260: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x0c0e7fff8270: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd 0x0c0e7fff8280: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29255==ABORTING
,
Apr 30 2018
,
Apr 30 2018
This specific stack is caused by the same issue as 835636 but, this test case triggers a second low severity probe after 835636 is fixed.
=================================================================
==164141==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000f00 at pc 0x00000484ef44 bp 0x7fff03041810 sp 0x7fff03041808
READ of size 1 at 0x607000000f00 thread T0
#0 0x484ef43 in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue() core/fxcrt/unowned_ptr.h:110:7
#1 0x575fd7b in fxcrt::UnownedPtr<CFX_XMLNode>::~UnownedPtr() core/fxcrt/unowned_ptr.h:60:19
#2 0x570055d in CXFA_Node::~CXFA_Node() xfa/fxfa/parser/cxfa_node.cpp:540:23
#3 0x58a628b in CXFA_Packet::~CXFA_Packet() xfa/fxfa/parser/cxfa_packet.cpp:29:30
#4 0x58a62cf in CXFA_Packet::~CXFA_Packet() xfa/fxfa/parser/cxfa_packet.cpp:29:29
#5 0x5896533 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#6 0x5896533 in reset buildtools/third_party/libc++/trunk/include/memory:2599
#7 0x5896533 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#8 0x5896533 in __destroy<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > buildtools/third_party/libc++/trunk/include/memory:1732
#9 0x5896533 in destroy<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > buildtools/third_party/libc++/trunk/include/memory:1595
#10 0x5896533 in std::__1::__tree<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, std::__1::less<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > >, std::__1::allocator<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > >::destroy(std::__1::__tree_node<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, void*>*) buildtools/third_party/libc++/trunk/include/__tree:1833
#11 0x58962d3 in std::__1::__tree<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, std::__1::less<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > >, std::__1::allocator<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > >::destroy(std::__1::__tree_node<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, void*>*) buildtools/third_party/libc++/trunk/include/__tree:1831:9
#12 0x5896112 in std::__1::__tree<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, std::__1::less<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > >, std::__1::allocator<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > >::~__tree() buildtools/third_party/libc++/trunk/include/__tree:1821:3
#13 0x5895b4b in std::__1::set<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> >, std::__1::less<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > >, std::__1::allocator<std::__1::unique_ptr<CXFA_Node, std::__1::default_delete<CXFA_Node> > > >::~set() buildtools/third_party/libc++/trunk/include/set:400:28
#14 0x5894670 in CXFA_NodeOwner::~CXFA_NodeOwner() xfa/fxfa/parser/cxfa_nodeowner.cpp:16:33
#15 0x55c6363 in CXFA_Document::~CXFA_Document() xfa/fxfa/parser/cxfa_document.cpp:1289:1
#16 0x55c639f in CXFA_Document::~CXFA_Document() xfa/fxfa/parser/cxfa_document.cpp:1285:33
#17 0x4ed7790 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#18 0x4ed7790 in reset buildtools/third_party/libc++/trunk/include/memory:2599
#19 0x4ed7790 in CXFA_FFDoc::CloseDoc() xfa/fxfa/cxfa_ffdoc.cpp:152
#20 0x4db4608 in CPDFXFA_Context::CloseXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67:14
#21 0x4db3c50 in CPDFXFA_Context::~CPDFXFA_Context() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49:3
#22 0x4db47af in CPDFXFA_Context::~CPDFXFA_Context() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45:37
#23 0x2ebbc9f in FPDF_CloseDocument fpdfsdk/fpdf_view.cpp:743:3
#24 0x11fc5b7 in FPDFDocumentDeleter::operator()(void*) public/cpp/fpdf_deleters.h:31:47
#25 0x11ea2fd in reset buildtools/third_party/libc++/trunk/include/memory:2599:7
#26 0x11ea2fd in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#27 0x11ea2fd in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:756
#28 0x11db79c in main samples/pdfium_test.cc:911:5
#29 0x7fd05859e2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x607000000f00 is located 0 bytes inside of 80-byte region [0x607000000f00,0x607000000f50)
freed by thread T0 here:
#0 0x11d5ad2 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:149:3
#1 0x38af20b in CFX_XMLElement::~CFX_XMLElement() core/fxcrt/xml/cfx_xmlelement.cpp:24:33
#2 0x38be196 in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#3 0x38be196 in reset buildtools/third_party/libc++/trunk/include/memory:2599
#4 0x38be196 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#5 0x38be196 in destroy buildtools/third_party/libc++/trunk/include/memory:1860
#6 0x38be196 in __destroy<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> > > buildtools/third_party/libc++/trunk/include/memory:1727
#7 0x38be196 in destroy<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> > > buildtools/third_party/libc++/trunk/include/memory:1595
#8 0x38be196 in __destruct_at_end buildtools/third_party/libc++/trunk/include/vector:413
#9 0x38be196 in clear buildtools/third_party/libc++/trunk/include/vector:356
#10 0x38be196 in std::__1::__vector_base<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> >, std::__1::allocator<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> > > >::~__vector_base() buildtools/third_party/libc++/trunk/include/vector:441
#11 0x38bdbfb in std::__1::vector<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> >, std::__1::allocator<std::__1::unique_ptr<CFX_XMLNode, std::__1::default_delete<CFX_XMLNode> > > >::~vector() buildtools/third_party/libc++/trunk/include/vector:447:28
#12 0x38bd9a2 in CFX_XMLDocument::~CFX_XMLDocument() core/fxcrt/xml/cfx_xmldocument.cpp:12:35
#13 0x562e03b in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
#14 0x562e03b in reset buildtools/third_party/libc++/trunk/include/memory:2599
#15 0x562e03b in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
#16 0x562e03b in CXFA_DocumentParser::~CXFA_DocumentParser() xfa/fxfa/parser/cxfa_document_parser.cpp:307
#17 0x4ed92a4 in CXFA_FFDoc::ParseDoc(CPDF_Object*) xfa/fxfa/cxfa_ffdoc.cpp:69:1
#18 0x4edac24 in CXFA_FFDoc::OpenDoc(CPDF_Document*) xfa/fxfa/cxfa_ffdoc.cpp:107:8
#19 0x4db5853 in CPDFXFA_Context::LoadXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94:19
#20 0x2eb64eb in FPDF_LoadXFA fpdfsdk/fpdf_view.cpp:259:63
#21 0x11e96b4 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:709:12
#22 0x11db79c in main samples/pdfium_test.cc:911:5
#23 0x7fd05859e2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x11d4ef2 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92:3
#1 0x3892021 in pdfium::internal::MakeUniqueResult<CFX_XMLElement>::Scalar pdfium::MakeUnique<CFX_XMLElement, fxcrt::WideString>(fxcrt::WideString&&) third_party/base/ptr_util.h:56:29
#2 0x388330a in CFX_XMLElement* CFX_XMLDocument::CreateNode<CFX_XMLElement, fxcrt::WideString>(fxcrt::WideString&&) core/fxcrt/xml/cfx_xmldocument.h:32:22
#3 0x387367e in CFX_XMLParser::Parse() core/fxcrt/xml/cfx_xmlparser.cpp:125:28
#4 0x562eb3b in CXFA_DocumentParser::LoadXML(fxcrt::RetainPtr<IFX_SeekableStream> const&) xfa/fxfa/parser/cxfa_document_parser.cpp:333:49
#5 0x562e1fa in CXFA_DocumentParser::Parse(fxcrt::RetainPtr<IFX_SeekableStream> const&, XFA_PacketType) xfa/fxfa/parser/cxfa_document_parser.cpp:311:14
#6 0x4ed8d36 in CXFA_FFDoc::ParseDoc(CPDF_Object*) xfa/fxfa/cxfa_ffdoc.cpp:63:15
#7 0x4edac24 in CXFA_FFDoc::OpenDoc(CPDF_Document*) xfa/fxfa/cxfa_ffdoc.cpp:107:8
#8 0x4db5853 in CPDFXFA_Context::LoadXFADoc() fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94:19
#9 0x2eb64eb in FPDF_LoadXFA fpdfsdk/fpdf_view.cpp:259:63
#10 0x11e96b4 in (anonymous namespace)::RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, (anonymous namespace)::Options const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) samples/pdfium_test.cc:709:12
#11 0x11db79c in main samples/pdfium_test.cc:911:5
#12 0x7fd05859e2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free core/fxcrt/unowned_ptr.h:110:7 in fxcrt::UnownedPtr<CFX_XMLNode>::ProbeForLowSeverityLifetimeIssue()
Shadow bytes around the buggy address:
0x0c0e7fff8190: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff81a0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff81b0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c0e7fff81c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
0x0c0e7fff81d0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0e7fff81e0:[fd]fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
0x0c0e7fff81f0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0e7fff8200: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff8210: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8220: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8230: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==164141==ABORTING
,
Apr 30 2018
,
May 2 2018
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/32ea6d0f847dab80e5fc03142ffa2238b552b357 commit 32ea6d0f847dab80e5fc03142ffa2238b552b357 Author: Dan Sinclair <dsinclair@chromium.org> Date: Wed May 02 16:17:32 2018 Cleanup XFA document properly on failed load When we fail to parse an XFA document we would free the XML document that is created immediately. This causes issues because the XML nodes may have been set into the CXFA_Document already. This CL changes ParseDoc to always save the XMLDocument and then triggers the CloseDoc() logic if the ParseDoc method fails. This should properly cleanup any resources on a failed document load. Bug: chromium:837578 Change-Id: I8af7e6e34e3b756455c58ea50b22af414ffa6cbf Reviewed-on: https://pdfium-review.googlesource.com/31710 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Ryan Harrison <rharrison@chromium.org> [modify] https://crrev.com/32ea6d0f847dab80e5fc03142ffa2238b552b357/xfa/fxfa/cxfa_ffdoc.cpp
,
May 2 2018
,
May 2 2018
,
May 2 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/84f012e4b99bf22f19d2ad6937d8b14b2c01d6ec commit 84f012e4b99bf22f19d2ad6937d8b14b2c01d6ec Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Wed May 02 21:12:03 2018 Roll src/third_party/pdfium/ d3b0f7cc7..303f9a3af (7 commits) https://pdfium.googlesource.com/pdfium.git/+log/d3b0f7cc78e6..303f9a3afc4a $ git log d3b0f7cc7..303f9a3af --date=short --no-merges --format='%ad %ae %s' 2018-05-02 dsinclair [xml] Simplify the CFX_XMLParser parse methods 2018-05-02 dsinclair [xml] Rename CFX_XMLParser::ParseTextChar 2018-05-02 hnakashima CFWL_MonthCalendar::GetTodayText() includes "Today" string. 2018-05-02 hnakashima Pass DPI as CFX_Size in XFA_DrawImage. 2018-05-02 dsinclair Cleanup XFA document properly on failed load 2018-05-02 dsinclair Add a CFX_XMLDocument class. 2018-05-02 hnakashima Remove out params from CalculateAccWidthAndHeight. Return CFX_Size. Created with: roll-dep src/third_party/pdfium BUG= chromium:837578 The AutoRoll server is located here: https://pdfium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. TBR=dsinclair@chromium.org Change-Id: Ia4cf7f68b647c08a999794d10f270247e6e803fa Reviewed-on: https://chromium-review.googlesource.com/1040358 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#555532} [modify] https://crrev.com/84f012e4b99bf22f19d2ad6937d8b14b2c01d6ec/DEPS
,
May 3 2018
,
Aug 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 1
,
Nov 12
Hi christian.jalio@, ProbeForLowSeverityLifetimeIssue alerts that there is a potential object lifecycle issue, but not that it can actually be reached. We'd consider rewarding if it could be demonstrated to be exploitable, but I'm afraid the panel declined to reward. |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by elawrence@chromium.org
, Apr 27 2018Labels: Security_Impact-None OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)