VULNERABILITY DETAILS
Heap use after free in pdfium.
VERSION
pdfium_test
commit 575f238334d13ab7bc7920eee23c108ef3b0bbed
Date: Fri Apr 27 01:44:15 2018 +0000
REPRODUCTION CASE
Open attached file.
ADDITIONAL INFORMATION
Rendering PDF file /workarea/samplestore/wip/pdfium/victory_todo/victory_984bb25ec60c8fd802f2e16d244e98284dd2068a80bc0daf959d34588dbc23d7.raw.
Rendered 1 pages.
=================================================================
==31162==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001910 at pc 0x000002dbabc2 bp 0x7fffffffd400 sp 0x7fffffffd3f8
READ of size 1 at 0x607000001910 thread T0
#0 0x2dbabc1 in ProbeForLowSeverityLifetimeIssue /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/unowned_ptr.h:110
#1 0x2dbabc1 in ~UnownedPtr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/unowned_ptr.h:60
#2 0x2dbabc1 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:22
#3 0x2dbabc1 in ?? ??:0
#4 0x2dbd13f in ~CFX_XMLText /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmltext.cpp:14
#5 0x2dbd13f in ~CFX_XMLText /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmltext.cpp:14
#6 0x2dbd13f in ?? ??:0
#7 0x2dbaa0a in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#8 0x2dbaa0a in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#9 0x2dbaa0a in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588
#10 0x2dbaa0a in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:22
#11 0x2dbaa0a in ?? ??:0
#12 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#13 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#14 0x2dbd7a0 in ?? ??:0
#15 0x2dbaa0a in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#16 0x2dbaa0a in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#17 0x2dbaa0a in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588
#18 0x2dbaa0a in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:22
#19 0x2dbaa0a in ?? ??:0
#20 0x2dbd13f in ~CFX_XMLText /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmltext.cpp:14
#21 0x2dbd13f in ~CFX_XMLText /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmltext.cpp:14
#22 0x2dbd13f in ?? ??:0
#23 0x2dbaa0a in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#24 0x2dbaa0a in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#25 0x2dbaa0a in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588
#26 0x2dbaa0a in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:22
#27 0x2dbaa0a in ?? ??:0
#28 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#29 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#30 0x2dbd7a0 in ?? ??:0
#31 0x2dba985 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#32 0x2dba985 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#33 0x2dba985 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#34 0x2dba985 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:33
#35 0x2dba985 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#36 0x2dba985 in ?? ??:0
#37 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#38 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#39 0x2dbd7a0 in ?? ??:0
#40 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#41 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#42 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#43 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#44 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#45 0x2dba897 in ?? ??:0
#46 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#47 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#48 0x2dbd7a0 in ?? ??:0
#49 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#50 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#51 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#52 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#53 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#54 0x2dba897 in ?? ??:0
#55 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#56 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#57 0x2dbd7a0 in ?? ??:0
#58 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#59 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#60 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#61 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#62 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#63 0x2dba897 in ?? ??:0
#64 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#65 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#66 0x2dbd7a0 in ?? ??:0
#67 0x38240f2 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#68 0x38240f2 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#69 0x38240f2 in CloseDoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:155
#70 0x38240f2 in ?? ??:0
#71 0x37bb902 in CloseXFADoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67
#72 0x37bb902 in ~CPDFXFA_Context /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49
#73 0x37bb902 in ?? ??:0
#74 0x37bc0fc in CPDFXFA_Context::~CPDFXFA_Context() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45
#75 0x37bc0fc in ?? ??:0
#76 0xbb8f31 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../public/cpp/fpdf_deleters.h:31
#77 0xbb8f31 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#78 0xbb8f31 in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588
#79 0xbb8f31 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:756
#80 0xbb8f31 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911
#81 0xbb8f31 in ?? ??:0
#82 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#83 0x7ffff6c0e82f in ?? ??:0
0x607000001910 is located 0 bytes inside of 80-byte region [0x607000001910,0x607000001960)
freed by thread T0 here:
#0 0xbaffa2 in operator delete(void*) _asan_rtl_
#1 0xbaffa2 in ?? ??:0
#2 0x2dba985 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#3 0x2dba985 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#4 0x2dba985 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#5 0x2dba985 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:33
#6 0x2dba985 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#7 0x2dba985 in ?? ??:0
#8 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#9 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#10 0x2dbd7a0 in ?? ??:0
#11 0x2dba985 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#12 0x2dba985 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#13 0x2dba985 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#14 0x2dba985 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:33
#15 0x2dba985 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#16 0x2dba985 in ?? ??:0
#17 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#18 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#19 0x2dbd7a0 in ?? ??:0
#20 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#21 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#22 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#23 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#24 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#25 0x2dba897 in ?? ??:0
#26 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#27 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#28 0x2dbd7a0 in ?? ??:0
#29 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#30 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#31 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#32 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#33 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#34 0x2dba897 in ?? ??:0
#35 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#36 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#37 0x2dbd7a0 in ?? ??:0
#38 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#39 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#40 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592
#41 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31
#42 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21
#43 0x2dba897 in ?? ??:0
#44 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#45 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23
#46 0x2dbd7a0 in ?? ??:0
#47 0x38240f2 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321
#48 0x38240f2 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#49 0x38240f2 in CloseDoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:155
#50 0x38240f2 in ?? ??:0
#51 0x37bb902 in CloseXFADoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67
#52 0x37bb902 in ~CPDFXFA_Context /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49
#53 0x37bb902 in ?? ??:0
#54 0x37bc0fc in CPDFXFA_Context::~CPDFXFA_Context() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45
#55 0x37bc0fc in ?? ??:0
#56 0xbb8f31 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../public/cpp/fpdf_deleters.h:31
#57 0xbb8f31 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634
#58 0xbb8f31 in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588
#59 0xbb8f31 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:756
#60 0xbb8f31 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911
#61 0xbb8f31 in ?? ??:0
#62 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#63 0x7ffff6c0e82f in ?? ??:0
previously allocated by thread T0 here:
#0 0xbaf362 in operator new(unsigned long) _asan_rtl_
#1 0xbaf362 in ?? ??:0
#2 0x2dace3c in MakeUnique<CFX_XMLElement, fxcrt::WideString> /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../third_party/base/ptr_util.h:56
#3 0x2dace3c in Parse /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlparser.cpp:138
#4 0x2dace3c in ?? ??:0
#5 0x3c47574 in CXFA_DocumentParser::LoadXML(fxcrt::RetainPtr<IFX_SeekableStream> const&) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:355
#6 0x3c47574 in ?? ??:0
#7 0x3c46e65 in CXFA_DocumentParser::Parse(fxcrt::RetainPtr<IFX_SeekableStream> const&, XFA_PacketType) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:332
#8 0x3c46e65 in ?? ??:0
#9 0x3824a8f in CXFA_FFDoc::ParseDoc(CPDF_Object*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:63
#10 0x3824a8f in ?? ??:0
#11 0x38255e9 in CXFA_FFDoc::OpenDoc(CPDF_Document*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:107
#12 0x38255e9 in ?? ??:0
#13 0x37bc9a6 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94
#14 0x37bc9a6 in ?? ??:0
#15 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259
#16 0x2987fcd in ?? ??:0
#17 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709
#18 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911
#19 0xbb7366 in ?? ??:0
#20 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#21 0x7ffff6c0e82f in ?? ??:0
SUMMARY: AddressSanitizer: heap-use-after-free (/workarea/fuzz/bin/pdfium_asan/pdfium_test+0x2dbabc1)
Shadow bytes around the buggy address:
0x0c0e7fff82d0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0e7fff82e0: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff82f0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8300: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8310: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e7fff8320: fa fa[fd]fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0e7fff8330: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
0x0c0e7fff8340: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff8350: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8360: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8370: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31162==ABORTING
|
Deleted:
probeforlowseveritylifetimeissue_heap_use_after_free_2.sample
4.0 KB
|
|
|
probeforlowseveritylifetimeissue_heap_use_after_free_2.sample
4.0 KB
Download
|
|
|
Deleted:
probeforlowseveritylifetimeissue_heap_use_after_free_2.asan
20.9 KB
|
|
|
probeforlowseveritylifetimeissue_heap_use_after_free_2.asan
20.9 KB
Download
|
Comment 1 by elawrence@chromium.org
, Apr 27 2018Labels: Security_Impact-None OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)
Summary: Security: Probeforlowseveritylifetimeissue at ~CFX_XMLNode (was: Security: pdfium heap-use-after-free 2)