Issue metadata
Sign in to add a comment
|
pdfium heap-use-after-free 3
Reported by
christia...@gmail.com,
Apr 27 2018
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Heap use after free in pdfium. VERSION pdfium_test commit 575f238334d13ab7bc7920eee23c108ef3b0bbed Date: Fri Apr 27 01:44:15 2018 +0000 REPRODUCTION CASE Open attached file. ADDITIONAL INFORMATION Rendering PDF file /workarea/samplestore/wip/pdfium/victory_todo/victory_14d542c88c20bc66126d3bee94282a03975e2374ea43ae37de585849a668a5d0.raw. Rendered 1 pages. ================================================================= ==29436==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001858 at pc 0x000002dbabed bp 0x7fffffffd550 sp 0x7fffffffd548 READ of size 8 at 0x607000001858 thread T0 #0 0x2dbabec in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2631 #1 0x2dbabec in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #2 0x2dbabec in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #3 0x2dbabec in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #4 0x2dbabec in ?? ??:0 #5 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #6 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #7 0x2dbd7a0 in ?? ??:0 #8 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #9 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #10 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #11 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #12 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #13 0x2dba897 in ?? ??:0 #14 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #15 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #16 0x2dbd7a0 in ?? ??:0 #17 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #18 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #19 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #20 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #21 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #22 0x2dba897 in ?? ??:0 #23 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #24 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #25 0x2dbd7a0 in ?? ??:0 #26 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #27 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #28 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #29 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #30 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #31 0x2dba897 in ?? ??:0 #32 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #33 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #34 0x2dbd7a0 in ?? ??:0 #35 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #36 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #37 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #38 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #39 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #40 0x2dba897 in ?? ??:0 #41 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #42 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #43 0x2dbd7a0 in ?? ??:0 #44 0x38240f2 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #45 0x38240f2 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #46 0x38240f2 in CloseDoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:155 #47 0x38240f2 in ?? ??:0 #48 0x37bb902 in CloseXFADoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67 #49 0x37bb902 in ~CPDFXFA_Context /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49 #50 0x37bb902 in ?? ??:0 #51 0x37bc0fc in CPDFXFA_Context::~CPDFXFA_Context() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45 #52 0x37bc0fc in ?? ??:0 #53 0xbb8f31 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../public/cpp/fpdf_deleters.h:31 #54 0xbb8f31 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #55 0xbb8f31 in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588 #56 0xbb8f31 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:756 #57 0xbb8f31 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #58 0xbb8f31 in ?? ??:0 #59 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #60 0x7ffff6c0e82f in ?? ??:0 0x607000001858 is located 40 bytes inside of 80-byte region [0x607000001830,0x607000001880) freed by thread T0 here: #0 0xbaffa2 in operator delete(void*) _asan_rtl_ #1 0xbaffa2 in ?? ??:0 #2 0x2dba985 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #3 0x2dba985 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #4 0x2dba985 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #5 0x2dba985 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:33 #6 0x2dba985 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #7 0x2dba985 in ?? ??:0 #8 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #9 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #10 0x2dbd7a0 in ?? ??:0 #11 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #12 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #13 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #14 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #15 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #16 0x2dba897 in ?? ??:0 #17 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #18 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #19 0x2dbd7a0 in ?? ??:0 #20 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #21 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #22 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #23 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #24 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #25 0x2dba897 in ?? ??:0 #26 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #27 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #28 0x2dbd7a0 in ?? ??:0 #29 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #30 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #31 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #32 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #33 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #34 0x2dba897 in ?? ??:0 #35 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #36 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #37 0x2dbd7a0 in ?? ??:0 #38 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #39 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #40 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #41 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #42 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #43 0x2dba897 in ?? ??:0 #44 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #45 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #46 0x2dbd7a0 in ?? ??:0 #47 0x2dba897 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #48 0x2dba897 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #49 0x2dba897 in operator= /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2592 #50 0x2dba897 in DeleteChildren /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:31 #51 0x2dba897 in ~CFX_XMLNode /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlnode.cpp:21 #52 0x2dba897 in ?? ??:0 #53 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #54 0x2dbd7a0 in ~CFX_XMLElement /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlelement.cpp:23 #55 0x2dbd7a0 in ?? ??:0 #56 0x38240f2 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2321 #57 0x38240f2 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #58 0x38240f2 in CloseDoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:155 #59 0x38240f2 in ?? ??:0 #60 0x37bb902 in CloseXFADoc /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:67 #61 0x37bb902 in ~CPDFXFA_Context /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:49 #62 0x37bb902 in ?? ??:0 #63 0x37bc0fc in CPDFXFA_Context::~CPDFXFA_Context() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:45 #64 0x37bc0fc in ?? ??:0 #65 0xbb8f31 in operator() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../public/cpp/fpdf_deleters.h:31 #66 0xbb8f31 in reset /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2634 #67 0xbb8f31 in ~unique_ptr /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:2588 #68 0xbb8f31 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:756 #69 0xbb8f31 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #70 0xbb8f31 in ?? ??:0 #71 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #72 0x7ffff6c0e82f in ?? ??:0 previously allocated by thread T0 here: #0 0xbaf362 in operator new(unsigned long) _asan_rtl_ #1 0xbaf362 in ?? ??:0 #2 0x2dace3c in MakeUnique<CFX_XMLElement, fxcrt::WideString> /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../third_party/base/ptr_util.h:56 #3 0x2dace3c in Parse /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../core/fxcrt/xml/cfx_xmlparser.cpp:138 #4 0x2dace3c in ?? ??:0 #5 0x3c47574 in CXFA_DocumentParser::LoadXML(fxcrt::RetainPtr<IFX_SeekableStream> const&) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:355 #6 0x3c47574 in ?? ??:0 #7 0x3c46e65 in CXFA_DocumentParser::Parse(fxcrt::RetainPtr<IFX_SeekableStream> const&, XFA_PacketType) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_document_parser.cpp:332 #8 0x3c46e65 in ?? ??:0 #9 0x3824a8f in CXFA_FFDoc::ParseDoc(CPDF_Object*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:63 #10 0x3824a8f in ?? ??:0 #11 0x38255e9 in CXFA_FFDoc::OpenDoc(CPDF_Document*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdoc.cpp:107 #12 0x38255e9 in ?? ??:0 #13 0x37bc9a6 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:94 #14 0x37bc9a6 in ?? ??:0 #15 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259 #16 0x2987fcd in ?? ??:0 #17 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709 #18 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911 #19 0xbb7366 in ?? ??:0 #20 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #21 0x7ffff6c0e82f in ?? ??:0 SUMMARY: AddressSanitizer: heap-use-after-free (/workarea/fuzz/bin/pdfium_asan/pdfium_test+0x2dbabec) Shadow bytes around the buggy address: 0x0c0e7fff82b0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0e7fff82c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00 0x0c0e7fff82d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0e7fff82e0: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd 0x0c0e7fff82f0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0e7fff8300: 00 00 fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd 0x0c0e7fff8310: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x0c0e7fff8320: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0e7fff8330: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd 0x0c0e7fff8340: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0e7fff8350: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29436==ABORTING
,
Apr 30 2018
,
Apr 30 2018
,
Aug 6
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Apr 27 2018Labels: Security_Impact-None OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)