Issue 837585 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	dsinclair@chromium.org
Closed:	May 2018
Cc:	awhalley@google.com
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri:	3
Type:	Bug-Security
Reward-1000 Security_Severity-Medium Security_Impact-None allpublic reward-inprocess

Blocking:
issue 62400

Security: CXFA_Node::FindSplitPos container overflow

Reported by christia...@gmail.com, Apr 27 2018

Issue description

VULNERABILITY DETAILS
Container overflow in pdfium.

VERSION
pdfium_test
commit 575f238334d13ab7bc7920eee23c108ef3b0bbed
Date: Fri Apr 27 01:44:15 2018 +0000

REPRODUCTION CASE
Open attached file.

ADDITIONAL INFORMATION

Rendering PDF file /workarea/samplestore/wip/pdfium/victory_todo/victory_8f4fb392bc9defbb61ae7abe30c90fa9a1c9176d24e0c12d6dbfca25d40ef914.raw.
=================================================================
==31009==ERROR: AddressSanitizer: container-overflow on address 0x61d00005ce54 at pc 0x000003ce83a0 bp 0x7fffffffcf30 sp 0x7fffffffcf28
READ of size 4 at 0x61d00005ce54 thread T0
    #0 0x3ce839f in CXFA_Node::FindSplitPos(CXFA_FFDocView*, int, float&) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_node.cpp:3221
    #1 0x3ce839f in ?? ??:0
    #2 0x3c6c34b in (anonymous namespace)::FindLayoutItemSplitPos(CXFA_ContentLayoutItem*, float, float*, bool*, bool) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:496
    #3 0x3c6c34b in ?? ??:0
    #4 0x3c85661 in FindSplitPos /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:667
    #5 0x3c85661 in InsertFlowedItem /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:2656
    #6 0x3c85661 in ?? ??:0
    #7 0x3c7fab0 in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer(bool, XFA_AttributeEnum, float, float, CXFA_LayoutContext*, bool) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:1951
    #8 0x3c7fab0 in ?? ??:0
    #9 0x3c718f1 in CXFA_ItemLayoutProcessor::DoLayout(bool, float, float, CXFA_LayoutContext*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:2217
    #10 0x3c718f1 in ?? ??:0
    #11 0x3c8d4d6 in CXFA_LayoutProcessor::DoLayout() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_layoutprocessor.cpp:74
    #12 0x3c8d4d6 in ?? ??:0
    #13 0x38d12a1 in CXFA_FFDocView::DoLayout() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdocview.cpp:94
    #14 0x38d12a1 in ?? ??:0
    #15 0x37bcb51 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:118
    #16 0x37bcb51 in ?? ??:0
    #17 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259
    #18 0x2987fcd in ?? ??:0
    #19 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709
    #20 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911
    #21 0xbb7366 in ?? ??:0
    #22 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #23 0x7ffff6c0e82f in ?? ??:0

0x61d00005ce54 is located 1492 bytes inside of 2048-byte region [0x61d00005c880,0x61d00005d080)
allocated by thread T0 here:
    #0 0xbaf362 in operator new(unsigned long) _asan_rtl_
    #1 0xbaf362 in ?? ??:0
    #2 0x29764ba in __libcpp_allocate /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/new:259
    #3 0x29764ba in allocate /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:1799
    #4 0x29764ba in allocate /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/memory:1548
    #5 0x29764ba in __split_buffer /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/__split_buffer:311
    #6 0x29764ba in __push_back_slow_path<float> /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/vector:1578
    #7 0x29764ba in ?? ??:0
    #8 0x3ce6f2b in push_back /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../buildtools/third_party/libc++/trunk/include/vector:1619
    #9 0x3ce6f2b in CXFA_Node::FindSplitPos(CXFA_FFDocView*, int, float&) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_node.cpp:3302
    #10 0x3ce6f2b in ?? ??:0
    #11 0x3c6c34b in (anonymous namespace)::FindLayoutItemSplitPos(CXFA_ContentLayoutItem*, float, float*, bool*, bool) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:496
    #12 0x3c6c34b in ?? ??:0
    #13 0x3c85661 in FindSplitPos /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:667
    #14 0x3c85661 in InsertFlowedItem /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:2656
    #15 0x3c85661 in ?? ??:0
    #16 0x3c7fab0 in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer(bool, XFA_AttributeEnum, float, float, CXFA_LayoutContext*, bool) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:1951
    #17 0x3c7fab0 in ?? ??:0
    #18 0x3c718f1 in CXFA_ItemLayoutProcessor::DoLayout(bool, float, float, CXFA_LayoutContext*) /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_itemlayoutprocessor.cpp:2217
    #19 0x3c718f1 in ?? ??:0
    #20 0x3c8d4d6 in CXFA_LayoutProcessor::DoLayout() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/parser/cxfa_layoutprocessor.cpp:74
    #21 0x3c8d4d6 in ?? ??:0
    #22 0x38d12a1 in CXFA_FFDocView::DoLayout() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../xfa/fxfa/cxfa_ffdocview.cpp:94
    #23 0x38d12a1 in ?? ??:0
    #24 0x37bcb51 in CPDFXFA_Context::LoadXFADoc() /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdfxfa/cpdfxfa_context.cpp:118
    #25 0x37bcb51 in ?? ??:0
    #26 0x2987fcd in FPDF_LoadXFA /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../fpdfsdk/fpdf_view.cpp:259
    #27 0x2987fcd in ?? ??:0
    #28 0xbb7366 in RenderPdf /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:709
    #29 0xbb7366 in main /workarea/fuzz/victimlibs2/chromium/source/pdfium/pdfium/out/dbg/../../samples/pdfium_test.cc:911
    #30 0xbb7366 in ?? ??:0
    #31 0x7ffff6c0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #32 0x7ffff6c0e82f in ?? ??:0

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow (/workarea/fuzz/bin/pdfium_asan/pdfium_test+0x3ce839f)
Shadow bytes around the buggy address:
  0x0c3a80003970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a800039a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a800039b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a800039c0: 00 00 00 00 00 00 00 00 00 00[fc]fc fc fc fc fc
  0x0c3a800039d0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x0c3a800039e0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x0c3a800039f0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x0c3a80003a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x0c3a80003a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31009==ABORTING

findsplitpos_container_overflow.sample
74.2 KB Download

findsplitpos_container_overflow.asan
8.1 KB Download

Comment 1 by elawrence@chromium.org, Apr 27 2018

Components: Internals>Plugins>PDF
Labels: Security_Impact-None OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Owner: dsinclair@chromium.org
Status: Assigned (was: Unconfirmed)
Summary: Security: CXFA_Node::FindSplitPos container overflow (was: Security: pdfium container overflow)

Another issue in XFA code, which isn't enabled for Chrome. Please assign as appropriate. Thanks!

Comment 2 by dsinclair@chromium.org, Apr 30 2018

Blocking: 62400

Comment 3 by tsepez@chromium.org, May 2 2018

Labels: Security_Severity-Medium Pri-3

Comment 4 by dsinclair@chromium.org, May 3 2018

Status: Started (was: Assigned)

Comment 5 by dsinclair@chromium.org, May 3 2018

https://pdfium-review.googlesource.com/c/pdfium/+/32051

Project Member

Comment 6 by bugdroid1@chromium.org, May 3 2018

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/c5c0eebe863bb4fad86b43f62fa81d89f07c9011

commit c5c0eebe863bb4fad86b43f62fa81d89f07c9011
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Thu May 03 18:20:53 2018

[xfa] Verify field count before accessing

When processing items for layout it's possible for the iBlockIndex*3
value could be larger then the field split count. If this is the case
we'll walk off the end of the split array.

This CL verifys that we have enough data before attempting to walk the
splits and returns early if we don't have enough data.

Bug:  chromium:837585 
Change-Id: I534298b4ee354ce079442d893202f811431155a0
Reviewed-on: https://pdfium-review.googlesource.com/32051
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/c5c0eebe863bb4fad86b43f62fa81d89f07c9011/xfa/fxfa/parser/cxfa_node.cpp

Comment 7 by dsinclair@chromium.org, May 3 2018

Status: Fixed (was: Started)

Project Member

Comment 8 by bugdroid1@chromium.org, May 4 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5cee59c3852ed3c5e078ae0c23fce23a77983bcb

commit 5cee59c3852ed3c5e078ae0c23fce23a77983bcb
Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Fri May 04 01:01:19 2018

Roll src/third_party/pdfium/ 525147a1f..ad1788557 (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/525147a1f6d6..ad178855775d

$ git log 525147a1f..ad1788557 --date=short --no-merges --format='%ad %ae %s'
2018-05-03 rharrison Invalidate GIF input buffer when moving file cursor backwards
2018-05-03 tsepez Prove that the memory was good at FPDFBitmap_CreateEx() create time.
2018-05-03 hnakashima Use pointers instead of refs in CXFA_TextLayout params.
2018-05-03 dsinclair [xfa] Verify we can get a font manager before setting up XFA
2018-05-03 dsinclair [xfa] Verify field count before accessing

Created with:
  roll-dep src/third_party/pdfium
BUG= chromium:839348 , chromium:839361 , chromium:838886 , chromium:835693 , chromium:837585 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: I06ec60f0a34b13f864be053ffe512402c4c8ad7a
Reviewed-on: https://chromium-review.googlesource.com/1043278
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#555941}
[modify] https://crrev.com/5cee59c3852ed3c5e078ae0c23fce23a77983bcb/DEPS

Project Member

Comment 9 by sheriffbot@chromium.org, May 4 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 10 by sheriffbot@chromium.org, Aug 10

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by awhalley@google.com, Nov 1

Labels: reward-topanel

Comment 12 by awhalley@chromium.org, Nov 12

Labels: -reward-topanel reward-unpaid reward-1000

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 13 by awhalley@google.com, Nov 12

Hi christian.jalio@ - Many thanks for the report. The Chrome VRP panel decided to award $1,000 for this report. A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in Chrome release notes?

Comment 14 by awhalley@google.com, Nov 12

Cc: awhalley@google.com

Comment 15 by awhalley@google.com, Nov 12

Labels: -reward-unpaid reward-inprocess

Comment 16 by christia...@gmail.com, Nov 13

awhalley: This is a pleasant surprise. Yes, we'd like to be credited: Antti Levomäki and Christian Jalio from Forcepoint. Thanks.

►

Issue 837585 link

Issue metadata

Security: CXFA_Node::FindSplitPos container overflow

Issue description

Comment 1 by elawrence@chromium.org, Apr 27 2018

Comment 1 Deleted

Comment 2 by dsinclair@chromium.org, Apr 30 2018

Comment 2 Deleted

Comment 3 by tsepez@chromium.org, May 2 2018

Comment 3 Deleted

Comment 4 by dsinclair@chromium.org, May 3 2018

Comment 4 Deleted

Comment 5 by dsinclair@chromium.org, May 3 2018

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, May 3 2018

Comment 6 Deleted

Comment 7 by dsinclair@chromium.org, May 3 2018

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, May 4 2018

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, May 4 2018

Comment 9 Deleted

Comment 10 by sheriffbot@chromium.org, Aug 10

Comment 10 Deleted

Comment 11 by awhalley@google.com, Nov 1

Comment 11 Deleted

Comment 12 by awhalley@chromium.org, Nov 12

Comment 12 Deleted

Comment 13 by awhalley@google.com, Nov 12

Comment 13 Deleted

Comment 14 by awhalley@google.com, Nov 12

Comment 14 Deleted

Comment 15 by awhalley@google.com, Nov 12

Comment 15 Deleted

Comment 16 by christia...@gmail.com, Nov 13

Comment 16 Deleted

Sign in to add a comment