Security: PDFium UAF in CFX_CodecMemory::~CFX_CodecMemory
Reported by
stackexp...@gmail.com,
Aug 30
|
||||||||||
Issue descriptionVULNERABILITY DETAILS Might be related to https://pdfium.googlesource.com/pdfium/+/7e4fff7163382cb40b761a383fad9a2e313713c7 XFA must be enabled to trigger this issue. ================================================================= ==4740==ERROR: AddressSanitizer: heap-use-after-free on address 0x0780a430 at pc 0x03348428 bp 0x0043d4a8 sp 0x0043d49c READ of size 1 at 0x0780a430 thread T0 ==4740==*** WARNING: Failed to initialize DbgHelp! *** ==4740==*** Most likely this means that the app is already *** ==4740==*** using DbgHelp, possibly with incompatible flags. *** ==4740==*** Due to technical reasons, symbolization might crash *** ==4740==*** or produce wrong results. *** #0 0x3348427 in CFX_CodecMemory::~CFX_CodecMemory c:\pdfium\core\fxcodec\codec\cfx_codec_memory.cpp:12 #1 0x3329dd7 in CFX_BmpDecompressor::~CFX_BmpDecompressor c:\pdfium\core\fxcodec\bmp\cfx_bmpdecompressor.cpp:62 #2 0x3329bea in CFX_BmpContext::~CFX_BmpContext c:\pdfium\core\fxcodec\bmp\cfx_bmpcontext.cpp:13 #3 0x3d1e297 in CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:256 #4 0x3d3686a in CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:256 #5 0x39bb311 in XFA_LoadImageFromBuffer c:\pdfium\xfa\fxfa\cxfa_ffwidget.cpp:215 #6 0x3a851d5 in `anonymous namespace'::XFA_LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:236 #7 0x3a6ae0c in CXFA_ImageEditData::LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:533 #8 0x3a69a1e in CXFA_Node::LoadImageEditImage c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3058 #9 0x3a6909b in CXFA_Node::CalculateImageEditAutoSize c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3039 #10 0x3a6cd8b in CXFA_Node::CalculateAccWidthAndHeight c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3177 #11 0x3a6be61 in CXFA_Node::StartWidgetLayout c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3158 #12 0x39c2d31 in CXFA_FFNotify::StartFieldDrawLayout c:\pdfium\xfa\fxfa\cxfa_ffnotify.cpp:206 #13 0x3b555c6 in CXFA_ItemLayoutProcessor::DoLayoutField c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2221 #14 0x3b42961 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2266 #15 0x3b435bc in CXFA_ItemLayoutProcessor::DoLayoutPositionedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1176 #16 0x3b429bd in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2255 #17 0x3b5078d in CXFA_ItemLayoutProcessor::InsertFlowedItem c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2550 #18 0x3b4cf7d in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1982 #19 0x3b42a50 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2248 #20 0x3ac7185 in CXFA_LayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_layoutprocessor.cpp:74 #21 0x39b580e in CXFA_FFDocView::DoLayout c:\pdfium\xfa\fxfa\cxfa_ffdocview.cpp:94 #22 0x3990bb4 in CPDFXFA_Context::LoadXFADoc c:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:144 #23 0x2ebc62a in FPDF_LoadXFA c:\pdfium\fpdfsdk\fpdf_view.cpp:267 #24 0x130464e in main c:\pdfium\samples\pdfium_test.cc:948 #25 0x3f2eb3a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #26 0x751e343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c) #27 0x77299831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831) #28 0x77299804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804) 0x0780a430 is located 0 bytes inside of 14-byte region [0x0780a430,0x0780a43e) freed by thread T0 here: #0 0x3f1ae88 in free c:\b\rr\tmpj1tgp5\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x3d3471b in CCodec_ProgressiveDecoder::DetectImageType c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:1693 #2 0x3d34ac6 in CCodec_ProgressiveDecoder::LoadImageInfo c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:1761 #3 0x39bad88 in XFA_LoadImageFromBuffer c:\pdfium\xfa\fxfa\cxfa_ffwidget.cpp:162 #4 0x3a851d5 in `anonymous namespace'::XFA_LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:236 #5 0x3a6ae0c in CXFA_ImageEditData::LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:533 #6 0x3a69a1e in CXFA_Node::LoadImageEditImage c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3058 #7 0x3a6909b in CXFA_Node::CalculateImageEditAutoSize c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3039 #8 0x3a6cd8b in CXFA_Node::CalculateAccWidthAndHeight c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3177 #9 0x3a6be61 in CXFA_Node::StartWidgetLayout c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3158 #10 0x39c2d31 in CXFA_FFNotify::StartFieldDrawLayout c:\pdfium\xfa\fxfa\cxfa_ffnotify.cpp:206 #11 0x3b555c6 in CXFA_ItemLayoutProcessor::DoLayoutField c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2221 #12 0x3b42961 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2266 #13 0x3b435bc in CXFA_ItemLayoutProcessor::DoLayoutPositionedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1176 #14 0x3b429bd in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2255 #15 0x3b5078d in CXFA_ItemLayoutProcessor::InsertFlowedItem c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2550 #16 0x3b4cf7d in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1982 #17 0x3b42a50 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2248 #18 0x3ac7185 in CXFA_LayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_layoutprocessor.cpp:74 #19 0x39b580e in CXFA_FFDocView::DoLayout c:\pdfium\xfa\fxfa\cxfa_ffdocview.cpp:94 #20 0x3990bb4 in CPDFXFA_Context::LoadXFADoc c:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:144 #21 0x2ebc62a in FPDF_LoadXFA c:\pdfium\fpdfsdk\fpdf_view.cpp:267 #22 0x130464e in main c:\pdfium\samples\pdfium_test.cc:948 #23 0x3f2eb3a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #24 0x751e343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c) #25 0x77299831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831) #26 0x77299804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804) previously allocated by thread T0 here: #0 0x3f1af6c in malloc c:\b\rr\tmpj1tgp5\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 #1 0x3d346d6 in CCodec_ProgressiveDecoder::DetectImageType c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:1693 #2 0x3d34ac6 in CCodec_ProgressiveDecoder::LoadImageInfo c:\pdfium\core\fxcodec\codec\ccodec_progressivedecoder.cpp:1761 #3 0x39bad88 in XFA_LoadImageFromBuffer c:\pdfium\xfa\fxfa\cxfa_ffwidget.cpp:162 #4 0x3a851d5 in `anonymous namespace'::XFA_LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:236 #5 0x3a6ae0c in CXFA_ImageEditData::LoadImageData c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:533 #6 0x3a69a1e in CXFA_Node::LoadImageEditImage c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3058 #7 0x3a6909b in CXFA_Node::CalculateImageEditAutoSize c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3039 #8 0x3a6cd8b in CXFA_Node::CalculateAccWidthAndHeight c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3177 #9 0x3a6be61 in CXFA_Node::StartWidgetLayout c:\pdfium\xfa\fxfa\parser\cxfa_node.cpp:3158 #10 0x39c2d31 in CXFA_FFNotify::StartFieldDrawLayout c:\pdfium\xfa\fxfa\cxfa_ffnotify.cpp:206 #11 0x3b555c6 in CXFA_ItemLayoutProcessor::DoLayoutField c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2221 #12 0x3b42961 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2266 #13 0x3b435bc in CXFA_ItemLayoutProcessor::DoLayoutPositionedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1176 #14 0x3b429bd in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2255 #15 0x3b5078d in CXFA_ItemLayoutProcessor::InsertFlowedItem c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2550 #16 0x3b4cf7d in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:1982 #17 0x3b42a50 in CXFA_ItemLayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_itemlayoutprocessor.cpp:2248 #18 0x3ac7185 in CXFA_LayoutProcessor::DoLayout c:\pdfium\xfa\fxfa\parser\cxfa_layoutprocessor.cpp:74 #19 0x39b580e in CXFA_FFDocView::DoLayout c:\pdfium\xfa\fxfa\cxfa_ffdocview.cpp:94 #20 0x3990bb4 in CPDFXFA_Context::LoadXFADoc c:\pdfium\fpdfsdk\fpdfxfa\cpdfxfa_context.cpp:144 #21 0x2ebc62a in FPDF_LoadXFA c:\pdfium\fpdfsdk\fpdf_view.cpp:267 #22 0x130464e in main c:\pdfium\samples\pdfium_test.cc:948 #23 0x3f2eb3a in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283 #24 0x751e343c in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd7343c) #25 0x77299831 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9831) #26 0x77299804 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9804) SUMMARY: AddressSanitizer: heap-use-after-free c:\pdfium\core\fxcodec\codec\cfx_codec_memory.cpp:12 in CFX_CodecMemory::~CFX_CodecMemory Shadow bytes around the buggy address: 0x30f01430: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa 0x30f01440: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x30f01450: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa 0x30f01460: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x30f01470: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa fd fd =>0x30f01480: fa fa fd fd fa fa[fd]fd fa fa fd fd fa fa fd fd 0x30f01490: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x30f014a0: fa fa fd fa fa fa fd fa fa fa 00 04 fa fa 00 04 0x30f014b0: fa fa 00 04 fa fa 04 fa fa fa 00 04 fa fa 00 04 0x30f014c0: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 04 fa 0x30f014d0: fa fa 04 fa fa fa 04 fa fa fa 00 00 fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4740==ABORTING VERSION Chrome Version: [x.x.x.x] + [stable, beta, or dev] Operating System: [Please indicate OS, version, and service pack level] REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace *with symbols*, registers, exception record] Client ID (if relevant): [see link above]
,
Aug 30
,
Aug 30
,
Aug 30
Top frame is acutally:
READ of size 1 at 0x6020000503b0 thread T0
#0 0x2ab0aed in ProbeForLowSeverityLifetimeIssue ./../../core/fxcrt/unowned_ptr.h:110:7
#1 0x2ab0aed in ~UnownedPtr ./../../core/fxcrt/unowned_ptr.h:60:0
#2 0x2ab0aed in ~span ./../../third_party/base/span.h:220:0
#3 0x2ab0aed in ~CFX_CodecMemory ./../../core/fxcodec/codec/cfx_codec_memory.cpp:12:0
,
Aug 30
And yes, the CL in the original description made the pre-existing dangling reference detectable.
,
Aug 30
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/06a09776c361091177a3309509896f0af90c94bf commit 06a09776c361091177a3309509896f0af90c94bf Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Thu Aug 30 20:20:56 2018 Roll src/third_party/pdfium e70aff80976e..678f5418d36f (1 commits) https://pdfium.googlesource.com/pdfium.git/+log/e70aff80976e..678f5418d36f git log e70aff80976e..678f5418d36f --date=short --no-merges --format='%ad %ae %s' 2018-08-30 tsepez@chromium.org Fix lifetime issue in CCodec_ProgressiveDecoder. Created with: gclient setdep -r src/third_party/pdfium@678f5418d36f The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:879025 TBR=dsinclair@chromium.org Change-Id: Ib8c406eeae805bdb9a4e27c0fbe551a3a2368759 Reviewed-on: https://chromium-review.googlesource.com/1197287 Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#587734} [modify] https://crrev.com/06a09776c361091177a3309509896f0af90c94bf/DEPS
,
Aug 30
,
Aug 31
,
Aug 31
,
Sep 5
,
Sep 12
Hi stackexploit@ - I've added the label to those bugs now (sorry for not spotting earlier, if want to get my attention in a bug, please CC me so I get an email :-) For this bug, having verified it's failing the check in ProbeForLowSeverityLifetimeIssue, the VRP panel declined to reward I'm afraid.
,
Dec 7
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by tsepez@chromium.org
, Aug 30Owner: tsepez@chromium.org