New issue
Advanced search Search tips

Issue 873042 link

Starred by 2 users
Status: Duplicate
Merged: issue 867501
Owner: ----
Closed: Aug 10
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: heap-buffer-overflow in CJBig2_Image::ComposeToOpt2WithRect

Reported by zhouzhen...@gmail.com, Aug 10 
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test.

VERSION
Chrome Version: asan-linux-stable-68.0.3440.75
Operating System: Fedora 28 x86_64


REPRODUCTION CASE
./pdfium_test /home/henices/tests_039e5acf26b45c4bddae52ab827b9e247dba6703

Rendering PDF file /home/henices/tests_039e5acf26b45c4bddae52ab827b9e247dba6703.
=================================================================
==21591==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000000ea0 at pc 0x000002b44ae5 bp 0x7ffe09bfdfe0 sp 0x7ffe09bfdfd8
READ of size 1 at 0x620000000ea0 thread T0
    #0 0x2b44ae4 in CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image*, int, int, JBig2ComposeOp, FX_RECT const&) third_party/pdfium/core/fxcodec/jbig2/JBig2_Image.cpp:940:27
    #1 0x2b1f505 in CJBig2_Context::ParseGenericRegion(CJBig2_Segment*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:1034:18
    #2 0x2b16488 in CJBig2_Context::ProcessingParseSegmentData(CJBig2_Segment*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:353:14
    #3 0x2b1401a in ParseSegmentData third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:323:11
    #4 0x2b1401a in CJBig2_Context::DecodeSequential(PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:91
    #5 0x2b1602c in CJBig2_Context::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:193:12
    #6 0x2b0b7b7 in CCodec_Jbig2Module::ContinueDecode(CCodec_Jbig2Context*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/codec/fx_codec_jbig.cpp:75:47
    #7 0x2995f5b in CPDF_DIBSource::ContinueLoadDIBSource(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:312:35
    #8 0x29a9ba7 in CPDF_ImageCacheEntry::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imagecacheentry.cpp:88:42
    #9 0x29a4a15 in CPDF_PageRenderCache::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_pagerendercache.cpp:115:37
    #10 0x29e05f5 in CPDF_ImageLoader::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imageloader.cpp:48:35
    #11 0x29df06b in CPDF_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:551:18
    #12 0x29b1b14 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1137:27
    #13 0x29aaa94 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #14 0x2685435 in FPDF_RenderPage_Continue third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:86:28
    #15 0xb228fa in RenderPage third_party/pdfium/samples/pdfium_test.cc:556:14
    #16 0xb228fa in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
    #17 0xb228fa in main third_party/pdfium/samples/pdfium_test.cc:924
    #18 0x7f999f63024a in __libc_start_main (/lib64/libc.so.6+0x2324a)

0x620000000ea0 is located 0 bytes to the right of 3616-byte region [0x620000000080,0x620000000ea0)
allocated by thread T0 here:
    #0 0xaef123 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
    #1 0x2b3d7d0 in PartitionAllocGenericFlags third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:796:18
    #2 0x2b3d7d0 in FX_SafeAlloc third_party/pdfium/core/fxcrt/fx_memory.h:46
    #3 0x2b3d7d0 in FX_AllocOrDie third_party/pdfium/core/fxcrt/fx_memory.h:67
    #4 0x2b3d7d0 in FX_AllocOrDie2D third_party/pdfium/core/fxcrt/fx_memory.h:78
    #5 0x2b3d7d0 in CJBig2_Image::CJBig2_Image(int, int) third_party/pdfium/core/fxcodec/jbig2/JBig2_Image.cpp:40
    #6 0x2b2c2a9 in MakeUnique<CJBig2_Image, unsigned int &, unsigned int &> third_party/pdfium/third_party/base/ptr_util.h:56:33
    #7 0x2b2c2a9 in CJBig2_GRDProc::StartDecodeArith(CJBig2_GRDProc::ProgressiveArithDecodeState*) third_party/pdfium/core/fxcodec/jbig2/JBig2_GrdProc.cpp:656
    #8 0x2b1f395 in CJBig2_Context::ParseGenericRegion(CJBig2_Segment*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:1021:43
    #9 0x2b16488 in CJBig2_Context::ProcessingParseSegmentData(CJBig2_Segment*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:353:14
    #10 0x2b13fbb in ParseSegmentData third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:320:22
    #11 0x2b13fbb in CJBig2_Context::DecodeSequential(PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:91
    #12 0x2b1602c in CJBig2_Context::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp:193:12
    #13 0x2b0b7b7 in CCodec_Jbig2Module::ContinueDecode(CCodec_Jbig2Context*, PauseIndicatorIface*) third_party/pdfium/core/fxcodec/codec/fx_codec_jbig.cpp:75:47
    #14 0x2995f5b in CPDF_DIBSource::ContinueLoadDIBSource(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:312:35
    #15 0x29a9ba7 in CPDF_ImageCacheEntry::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imagecacheentry.cpp:88:42
    #16 0x29a4a15 in CPDF_PageRenderCache::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_pagerendercache.cpp:115:37
    #17 0x29e05f5 in CPDF_ImageLoader::Continue(PauseIndicatorIface*, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imageloader.cpp:48:35
    #18 0x29df06b in CPDF_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:551:18
    #19 0x29b1b14 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1137:27
    #20 0x29aaa94 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #21 0x2685435 in FPDF_RenderPage_Continue third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:86:28
    #22 0xb228fa in RenderPage third_party/pdfium/samples/pdfium_test.cc:556:14
    #23 0xb228fa in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
    #24 0xb228fa in main third_party/pdfium/samples/pdfium_test.cc:924
    #25 0x7f999f63024a in __libc_start_main (/lib64/libc.so.6+0x2324a)

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/pdfium/core/fxcodec/jbig2/JBig2_Image.cpp:940:27 in CJBig2_Image::ComposeToOpt2WithRect(CJBig2_Image*, int, int, JBig2ComposeOp, FX_RECT const&)
Shadow bytes around the buggy address:
  0x0c407fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff81d0: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21591==ABORTING

testcase is in the attachment.

Comment 1 by thestig@chromium.org, Aug 10

Components: Internals>Plugins>PDF
Mergedinto: 867501
Status: Duplicate (was: Unconfirmed)
Good find, but someone beat you to it.

Comment 2 by zhouzhen...@gmail.com, Aug 10 

Thank you for that information.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 16

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment