Issue 864678 link

Starred by 0 users

Issue metadata

Status:	Duplicate
Merged:	issue 851994
Owner:	tsepez@chromium.org
Closed:	Jul 18
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug-Security
allpublic Via-Wizard-Security

pdfium: member call on null pointer of type 'CPDF_Object'

Reported by pdk...@gmail.com, Jul 17

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Steps to reproduce the problem:
This appears to be a harmless nullptr access, but note that ASAN doesn't catch this and just crashes.

UBSAN report.

fpdfapi/parser/cpdf_array.cpp:105:24: runtime error: member call on null pointer of type 'CPDF_Object'
    #0 0xf90786 in CPDF_Array::GetDirectObjectAt(unsigned long) fpdfapi/parser/cpdf_array.cpp:105:24
    #1 0xfeb3e8 in CPDF_Array::GetDictAt(unsigned long) fpdfapi/parser/cpdf_array.cpp:139:20
    #2 0x106e4e1 in CPDF_Document::TraversePDFPages(int, int*, unsigned long) fpdfapi/parser/cpdf_document.cpp:282:39
    #3 0x106eb0d in CPDF_Document::TraversePDFPages(int, int*, unsigned long) fpdfapi/parser/cpdf_document.cpp:305:34
    #4 0x105c07a in CPDF_Document::GetPageDictionary(int) fpdfapi/parser/cpdf_document.cpp:367:28

Chromium report.

Received signal 11 SEGV_MAPERR 000000000000
#0 0x7f4f98d6d25c base::debug::StackTrace::StackTrace()
#1 0x7f4f98d6cdc1 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f4f941ec330 <unknown>
#3 0x7f4f9cc6682e CPDF_Array::GetDictAt()
#4 0x7f4f9cc723d0 CPDF_Document::TraversePDFPages()
#5 0x7f4f9cc726e3 CPDF_Document::GetPageDictionary()

What is the expected behavior?

What went wrong?
^

Did this work before? No 

Chrome version: 66.0.3359.139  Channel: n/a
OS Version: Ubuntu
Flash Version:

Comment 1 by pdk...@gmail.com, Jul 17

chromium-864678.pdf
113 bytes Download

Comment 2 by tsepez@chromium.org, Jul 17

Owner: tsepez@chromium.org
Status: Started (was: Unconfirmed)

Debug build trips an assert:

../../core/fpdfapi/parser/cpdf_object.cpp:178: virtual std::unique_ptr<CPDF_Object> CPDF_Object::MakeReference(CPDF_IndirectObjectHolder *) const: Assertion `false' failed.

Comment 3 by pdk...@gmail.com, Jul 17

perhaps duplicate: https://bugs.chromium.org/p/chromium/issues/detail?id=851994

Project Member

Comment 4 by ClusterFuzz, Jul 18

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6285028192157696.

Comment 5 by tsepez@chromium.org, Jul 18

Mergedinto: 851994
Status: Duplicate (was: Started)

Indeed duplicate.

Project Member

Comment 6 by sheriffbot@chromium.org, Oct 25

Labels: -Restrict-View-SecurityTeam allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 864678 link

Issue metadata

pdfium: member call on null pointer of type 'CPDF_Object'

Issue description

Comment 1 by pdk...@gmail.com, Jul 17

Comment 1 Deleted

Comment 2 by tsepez@chromium.org, Jul 17

Comment 2 Deleted

Comment 3 by pdk...@gmail.com, Jul 17

Comment 3 Deleted

Comment 4 by ClusterFuzz, Jul 18

Comment 4 Deleted

Comment 5 by tsepez@chromium.org, Jul 18

Comment 5 Deleted

Comment 6 by sheriffbot@chromium.org, Oct 25

Comment 6 Deleted

Sign in to add a comment