New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 21
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 880675: Security: heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline8Bit

Reported by zhouzhen...@gmail.com, Sep 5

Issue description

VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test.

VERSION
Chrome Version: asan-linux-beta-69.0.3497.23
Operating System: Fedora 28 x86_64

REPRODUCTION CASE
./pdfium_test tests_f0608b73459fbaa615f295ee9973f3af4e7821c5

Rendering PDF file tests_f0608b73459fbaa615f295ee9973f3af4e7821c5.
=================================================================
==26422==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f24ede1e72a at pc 0x000002bdad75 bp 0x7ffcbae26ee0 sp 0x7ffcbae26ed8
READ of size 1 at 0x7f24ede1e72a thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x2bdad74 in CPDF_DIBSource::DownSampleScanline8Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, bool, int, int) const third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1235:21
    #1 0x2bd9ec9 in CPDF_DIBSource::DownSampleScanline(int, unsigned char*, int, int, bool, int, int) const third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1116:5
    #2 0x2efa5b9 in CFX_ImageStretcher::ContinueQuickStretch(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagestretcher.cpp:208:16
    #3 0x2efc440 in CFX_ImageTransformer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:285:20
    #4 0x2ef3d98 in CFX_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagerenderer.cpp:95:23
    #5 0x2c1b72c in CPDF_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:546:48
    #6 0x2bee411 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1121:27
    #7 0x2be7394 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #8 0x28a8e15 in FPDF_RenderPage_Continue third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:86:28
    #9 0xb8008a in RenderPage third_party/pdfium/samples/pdfium_test.cc:556:14
    #10 0xb8008a in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
    #11 0xb8008a in main third_party/pdfium/samples/pdfium_test.cc:924
    #12 0x7f24f593c11a in __libc_start_main (/lib64/libc.so.6+0x2311a)
    #13 0xaa4029 in _start (/home/henices/research/asan-linux-beta-69.0.3497.23/pdfium_test+0xaa4029)

0x7f24ede1e72a is located 2 bytes to the right of 14417704-byte region [0x7f24ed05e800,0x7f24ede1e728)
allocated by thread T0 here:
    #0 0xb4bd53 in __interceptor_malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x2ed4578 in PartitionAllocGenericFlags third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:796:18
    #2 0x2ed4578 in FX_SafeAlloc third_party/pdfium/core/fxcrt/fx_memory.h:46
    #3 0x2ed4578 in CFX_DIBitmap::Create(int, int, FXDIB_Format, unsigned char*, unsigned int) third_party/pdfium/core/fxge/dib/cfx_dibitmap.cpp:57
    #4 0x2bcec96 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:464:27
    #5 0x2bd1842 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, bool, CPDF_Dictionary const*, CPDF_Dictionary*, bool, unsigned int, bool) third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:263:31
    #6 0x2be513a in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary const*, CPDF_Dictionary*, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imagecacheentry.cpp:72:42
    #7 0x2be0dc5 in CPDF_PageRenderCache::StartGetCachedBitmap(fxcrt::RetainPtr<CPDF_Image> const&, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_pagerendercache.cpp:97:58
    #8 0x2c1bfeb in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imageloader.cpp:34:19
    #9 0x2c12d3e in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:62:16
    #10 0x2c19b8e in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_ImageObject*, CFX_Matrix const*, bool, int) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:186:7
    #11 0x2bee382 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1146:26
    #12 0x2be7394 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
    #13 0x28ab692 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IPDFSDK_PauseAdapter*) third_party/pdfium/fpdfsdk/fpdf_view.cpp:131:26
    #14 0x28ab03d in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, fpdf_page_t__*, int, int, int, int, int, int, bool, IPDFSDK_PauseAdapter*) third_party/pdfium/fpdfsdk/fpdf_view.cpp:915:3
    #15 0x28a8aaa in FPDF_RenderPageBitmap_Start third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
    #16 0xb8006a in RenderPage third_party/pdfium/samples/pdfium_test.cc:553:16
    #17 0xb8006a in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
    #18 0xb8006a in main third_party/pdfium/samples/pdfium_test.cc:924
    #19 0x7f24f593c11a in __libc_start_main (/lib64/libc.so.6+0x2311a)

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1235:21 in CPDF_DIBSource::DownSampleScanline8Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, bool, int, int) const
Shadow bytes around the buggy address:
  0x0fe51dbbbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe51dbbbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe51dbbbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe51dbbbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe51dbbbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe51dbbbce0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0fe51dbbbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe51dbbbd00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe51dbbbd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe51dbbbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe51dbbbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26422==ABORTING

testcase is the attachment.
 

Comment 1 by tsepez@chromium.org, Sep 5

Cc: thestig@chromium.org
Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Security_Impact-Stable M-70
Repro'd on ToT.

Comment 2 by tsepez@chromium.org, Sep 5

Status: Available (was: Unconfirmed)

Comment 3 by sheriffbot@chromium.org, Sep 6

Project Member
Labels: Pri-1

Comment 4 by ClusterFuzz, Sep 11

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6321157396234240.

Comment 5 by ClusterFuzz, Sep 12

Project Member
Labels: Test-Predator-Auto-Owner
Owner: rharrison@chromium.org
Status: Assigned (was: Available)
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/cb391259aefd52f09352d35a1bb5b56c0db6db11 (Use checked large integer in ContinueQuickStretch).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 6 by ClusterFuzz, Sep 12

Project Member
Detailed report: https://clusterfuzz.com/testcase?key=6321157396234240

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f93e5efc728
Crash State:
  CPDF_DIBBase::DownSampleScanline8Bit
  CPDF_DIBBase::DownSampleScanline
  CFX_ImageStretcher::ContinueQuickStretch
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=556570:556575

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321157396234240

See https://github.com/google/clusterfuzz-tools for more information.

Comment 7 by thestig@chromium.org, Sep 12

Cc: rharrison@chromium.org
Owner: thestig@chromium.org
https://pdfium.googlesource.com/pdfium/+/cb391259aefd52f09352d35a1bb5b56c0db6db11 "regressed" this by fixing the crazy math in ContinueQuickStretch(). Now it calculates the line number correctly, tries to go towards the last line, and goes out of bound.

Comment 8 by thestig@chromium.org, Sep 12

I think what is causing the confusion is: /BitsPerComponent 8 vs. /ColorSpace /DeviceGray

Comment 9 by thestig@chromium.org, Sep 18

Actually, that's not it. The real problem is the back filter pipeline. e.g. /Filter [/JBIG2Decode /DCTDecode] is the Unix equivalent of:

cat data | jbig2_decode | dct_decode, which makes no sense. Whereas:

cat data | gunzip | dct_decode

is a valid pipeline.

Comment 10 by thestig@chromium.org, Sep 18

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Started (was: Assigned)
https://pdfium-review.googlesource.com/c/pdfium/+/42711

Comment 11 by bugdroid1@chromium.org, Sep 19

Project Member
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400

commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Sep 19 17:26:34 2018

Validate decoder pipelines.

PDF decoders, AKA filters, can be chained together. There can be
an arbitrary number of decoding / decompressing filters in the pipeline,
but there should be at most 1 image decoder, and the image decoder
should only be at the end of the chain.

BUG= chromium:880675 

Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959
Reviewed-on: https://pdfium-review.googlesource.com/42711
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode.h
[modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode.cpp
[modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp

Comment 12 by bugdroid1@chromium.org, Sep 19

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9f2aff260dd058c67ea3f974df1a8c3179997bed

commit 9f2aff260dd058c67ea3f974df1a8c3179997bed
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Wed Sep 19 18:52:29 2018

Roll src/third_party/pdfium c3099d1c6942..174de19776de (2 commits)

https://pdfium.googlesource.com/pdfium.git/+log/c3099d1c6942..174de19776de


git log c3099d1c6942..174de19776de --date=short --no-merges --format='%ad %ae %s'
2018-09-19 thestig@chromium.org Encapsulate CPDF_ImageLoader.
2018-09-19 thestig@chromium.org Validate decoder pipelines.


Created with:
  gclient setdep -r src/third_party/pdfium@174de19776de

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:880675 
TBR=dsinclair@chromium.org

Change-Id: I1af59ee6d0a3d3c21cce116d96083947b365ee31
Reviewed-on: https://chromium-review.googlesource.com/1234295
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#592495}
[modify] https://crrev.com/9f2aff260dd058c67ea3f974df1a8c3179997bed/DEPS

Comment 13 by ClusterFuzz, Sep 21

Project Member
ClusterFuzz has detected this issue as fixed in range 592493:592498.

Detailed report: https://clusterfuzz.com/testcase?key=6321157396234240

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x7f93e5efc728
Crash State:
  CPDF_DIBBase::DownSampleScanline8Bit
  CPDF_DIBBase::DownSampleScanline
  CFX_ImageStretcher::ContinueQuickStretch
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=556570:556575
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=592493:592498

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321157396234240

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 14 by ClusterFuzz, Sep 21

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6321157396234240 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 15 by sheriffbot@chromium.org, Sep 21

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by thestig@chromium.org, Sep 21

Cc: awhalley@chromium.org
Labels: Merge-Request-70

Comment 17 by sheriffbot@chromium.org, Sep 21

Project Member
Labels: -Merge-Request-70 Merge-Review-70 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by abdulsyed@chromium.org, Sep 21

Labels: -Merge-Review-70 Merge-Approved-70

Comment 19 by bugdroid1@chromium.org, Sep 21

Project Member
Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/0004bd334b0c485b2e4ece0bfae8812c7f107a0d

commit 0004bd334b0c485b2e4ece0bfae8812c7f107a0d
Author: Lei Zhang <thestig@chromium.org>
Date: Fri Sep 21 21:29:38 2018

M70: Validate decoder pipelines.

PDF decoders, AKA filters, can be chained together. There can be
an arbitrary number of decoding / decompressing filters in the pipeline,
but there should be at most 1 image decoder, and the image decoder
should only be at the end of the chain.

BUG= chromium:880675 
TBR=tsepez@chromium.org

Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959
Reviewed-on: https://pdfium-review.googlesource.com/42711
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400)
Reviewed-on: https://pdfium-review.googlesource.com/42970
Reviewed-by: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode.h
[modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode.cpp
[modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp

Comment 20 by awhalley@chromium.org, Sep 24

Labels: reward-topanel

Comment 21 by awhalley@chromium.org, Sep 27

Labels: -reward-topanel reward-unpaid reward-1000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 22 by awhalley@google.com, Sep 28

Thanks zhouzhenster@! The VRP panel decided to award $1,000 for this report. (And just a reminder about http://g.co/ChromeBugRewards#fuzzerprogram if you've got a fuzzer that we could run on your behalf!)

Comment 23 by awhalley@chromium.org, Sep 28

Labels: -reward-unpaid reward-inprocess

Comment 24 by awhalley@google.com, Oct 15

Labels: Release-0-M70

Comment 25 by awhalley@chromium.org, Oct 16

Labels: CVE-2018-17469 CVE_description-missing

Comment 26 by awhalley@chromium.org, Nov 12

Labels: -CVE_description-missing CVE_description-submitted

Comment 27 by sheriffbot@chromium.org, Dec 28

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment