Security: heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline8Bit
Reported by
zhouzhen...@gmail.com,
Sep 5
|
|||||||||||||||||||
Issue description
VULNERABILITY DETAILS
This issue was found by fuzzing against a 64-bit asan linux build of pdfium_test.
VERSION
Chrome Version: asan-linux-beta-69.0.3497.23
Operating System: Fedora 28 x86_64
REPRODUCTION CASE
./pdfium_test tests_f0608b73459fbaa615f295ee9973f3af4e7821c5
Rendering PDF file tests_f0608b73459fbaa615f295ee9973f3af4e7821c5.
=================================================================
==26422==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f24ede1e72a at pc 0x000002bdad75 bp 0x7ffcbae26ee0 sp 0x7ffcbae26ed8
READ of size 1 at 0x7f24ede1e72a thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x2bdad74 in CPDF_DIBSource::DownSampleScanline8Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, bool, int, int) const third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1235:21
#1 0x2bd9ec9 in CPDF_DIBSource::DownSampleScanline(int, unsigned char*, int, int, bool, int, int) const third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1116:5
#2 0x2efa5b9 in CFX_ImageStretcher::ContinueQuickStretch(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagestretcher.cpp:208:16
#3 0x2efc440 in CFX_ImageTransformer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagetransformer.cpp:285:20
#4 0x2ef3d98 in CFX_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fxge/dib/cfx_imagerenderer.cpp:95:23
#5 0x2c1b72c in CPDF_ImageRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:546:48
#6 0x2bee411 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1121:27
#7 0x2be7394 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
#8 0x28a8e15 in FPDF_RenderPage_Continue third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:86:28
#9 0xb8008a in RenderPage third_party/pdfium/samples/pdfium_test.cc:556:14
#10 0xb8008a in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
#11 0xb8008a in main third_party/pdfium/samples/pdfium_test.cc:924
#12 0x7f24f593c11a in __libc_start_main (/lib64/libc.so.6+0x2311a)
#13 0xaa4029 in _start (/home/henices/research/asan-linux-beta-69.0.3497.23/pdfium_test+0xaa4029)
0x7f24ede1e72a is located 2 bytes to the right of 14417704-byte region [0x7f24ed05e800,0x7f24ede1e728)
allocated by thread T0 here:
#0 0xb4bd53 in __interceptor_malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x2ed4578 in PartitionAllocGenericFlags third_party/pdfium/third_party/base/allocator/partition_allocator/partition_alloc.h:796:18
#2 0x2ed4578 in FX_SafeAlloc third_party/pdfium/core/fxcrt/fx_memory.h:46
#3 0x2ed4578 in CFX_DIBitmap::Create(int, int, FXDIB_Format, unsigned char*, unsigned int) third_party/pdfium/core/fxge/dib/cfx_dibitmap.cpp:57
#4 0x2bcec96 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:464:27
#5 0x2bd1842 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, bool, CPDF_Dictionary const*, CPDF_Dictionary*, bool, unsigned int, bool) third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:263:31
#6 0x2be513a in CPDF_ImageCacheEntry::StartGetCachedBitmap(CPDF_Dictionary const*, CPDF_Dictionary*, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imagecacheentry.cpp:72:42
#7 0x2be0dc5 in CPDF_PageRenderCache::StartGetCachedBitmap(fxcrt::RetainPtr<CPDF_Image> const&, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_pagerendercache.cpp:97:58
#8 0x2c1bfeb in CPDF_ImageLoader::Start(CPDF_ImageObject const*, CPDF_PageRenderCache*, bool, unsigned int, bool, CPDF_RenderStatus*) third_party/pdfium/core/fpdfapi/render/cpdf_imageloader.cpp:34:19
#9 0x2c12d3e in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:62:16
#10 0x2c19b8e in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_ImageObject*, CFX_Matrix const*, bool, int) third_party/pdfium/core/fpdfapi/render/cpdf_imagerenderer.cpp:186:7
#11 0x2bee382 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject*, CFX_Matrix const*, PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_renderstatus.cpp:1146:26
#12 0x2be7394 in CPDF_ProgressiveRenderer::Continue(PauseIndicatorIface*) third_party/pdfium/core/fpdfapi/render/cpdf_progressiverenderer.cpp:93:30
#13 0x28ab692 in (anonymous namespace)::RenderPageImpl(CPDF_PageRenderContext*, CPDF_Page*, CFX_Matrix const&, FX_RECT const&, int, bool, IPDFSDK_PauseAdapter*) third_party/pdfium/fpdfsdk/fpdf_view.cpp:131:26
#14 0x28ab03d in FPDF_RenderPage_Retail(CPDF_PageRenderContext*, fpdf_page_t__*, int, int, int, int, int, int, bool, IPDFSDK_PauseAdapter*) third_party/pdfium/fpdfsdk/fpdf_view.cpp:915:3
#15 0x28a8aaa in FPDF_RenderPageBitmap_Start third_party/pdfium/fpdfsdk/fpdf_progressive.cpp:60:3
#16 0xb8006a in RenderPage third_party/pdfium/samples/pdfium_test.cc:553:16
#17 0xb8006a in RenderPdf third_party/pdfium/samples/pdfium_test.cc:757
#18 0xb8006a in main third_party/pdfium/samples/pdfium_test.cc:924
#19 0x7f24f593c11a in __libc_start_main (/lib64/libc.so.6+0x2311a)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/pdfium/core/fpdfapi/render/cpdf_dibsource.cpp:1235:21 in CPDF_DIBSource::DownSampleScanline8Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, bool, int, int) const
Shadow bytes around the buggy address:
0x0fe51dbbbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe51dbbbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe51dbbbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe51dbbbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe51dbbbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe51dbbbce0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
0x0fe51dbbbcf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe51dbbbd00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe51dbbbd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe51dbbbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe51dbbbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==26422==ABORTING
testcase is the attachment.
,
Sep 5
,
Sep 6
,
Sep 11
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6321157396234240.
,
Sep 12
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/cb391259aefd52f09352d35a1bb5b56c0db6db11 (Use checked large integer in ContinueQuickStretch). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 12
Detailed report: https://clusterfuzz.com/testcase?key=6321157396234240 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x7f93e5efc728 Crash State: CPDF_DIBBase::DownSampleScanline8Bit CPDF_DIBBase::DownSampleScanline CFX_ImageStretcher::ContinueQuickStretch Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=556570:556575 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321157396234240 See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 12
https://pdfium.googlesource.com/pdfium/+/cb391259aefd52f09352d35a1bb5b56c0db6db11 "regressed" this by fixing the crazy math in ContinueQuickStretch(). Now it calculates the line number correctly, tries to go towards the last line, and goes out of bound.
,
Sep 12
I think what is causing the confusion is: /BitsPerComponent 8 vs. /ColorSpace /DeviceGray
,
Sep 18
Actually, that's not it. The real problem is the back filter pipeline. e.g. /Filter [/JBIG2Decode /DCTDecode] is the Unix equivalent of: cat data | jbig2_decode | dct_decode, which makes no sense. Whereas: cat data | gunzip | dct_decode is a valid pipeline.
,
Sep 18
https://pdfium-review.googlesource.com/c/pdfium/+/42711
,
Sep 19
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400 commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400 Author: Lei Zhang <thestig@chromium.org> Date: Wed Sep 19 17:26:34 2018 Validate decoder pipelines. PDF decoders, AKA filters, can be chained together. There can be an arbitrary number of decoding / decompressing filters in the pipeline, but there should be at most 1 image decoder, and the image decoder should only be at the end of the chain. BUG= chromium:880675 Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959 Reviewed-on: https://pdfium-review.googlesource.com/42711 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode.h [modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode.cpp [modify] https://crrev.com/5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9f2aff260dd058c67ea3f974df1a8c3179997bed commit 9f2aff260dd058c67ea3f974df1a8c3179997bed Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Date: Wed Sep 19 18:52:29 2018 Roll src/third_party/pdfium c3099d1c6942..174de19776de (2 commits) https://pdfium.googlesource.com/pdfium.git/+log/c3099d1c6942..174de19776de git log c3099d1c6942..174de19776de --date=short --no-merges --format='%ad %ae %s' 2018-09-19 thestig@chromium.org Encapsulate CPDF_ImageLoader. 2018-09-19 thestig@chromium.org Validate decoder pipelines. Created with: gclient setdep -r src/third_party/pdfium@174de19776de The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:880675 TBR=dsinclair@chromium.org Change-Id: I1af59ee6d0a3d3c21cce116d96083947b365ee31 Reviewed-on: https://chromium-review.googlesource.com/1234295 Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#592495} [modify] https://crrev.com/9f2aff260dd058c67ea3f974df1a8c3179997bed/DEPS
,
Sep 21
ClusterFuzz has detected this issue as fixed in range 592493:592498. Detailed report: https://clusterfuzz.com/testcase?key=6321157396234240 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x7f93e5efc728 Crash State: CPDF_DIBBase::DownSampleScanline8Bit CPDF_DIBBase::DownSampleScanline CFX_ImageStretcher::ContinueQuickStretch Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=556570:556575 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=592493:592498 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6321157396234240 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 21
ClusterFuzz testcase 6321157396234240 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 21
,
Sep 21
,
Sep 21
This bug requires manual review: DEPS changes referenced in bugdroid comments. Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21
,
Sep 21
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/0004bd334b0c485b2e4ece0bfae8812c7f107a0d commit 0004bd334b0c485b2e4ece0bfae8812c7f107a0d Author: Lei Zhang <thestig@chromium.org> Date: Fri Sep 21 21:29:38 2018 M70: Validate decoder pipelines. PDF decoders, AKA filters, can be chained together. There can be an arbitrary number of decoding / decompressing filters in the pipeline, but there should be at most 1 image decoder, and the image decoder should only be at the end of the chain. BUG= chromium:880675 TBR=tsepez@chromium.org Change-Id: Iffa27c70ec1ed7574e38e0de23413840ee900959 Reviewed-on: https://pdfium-review.googlesource.com/42711 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> (cherry picked from commit 5f2ea0f6ef587f9f7a2fec9f80dbc82b94c97400) Reviewed-on: https://pdfium-review.googlesource.com/42970 Reviewed-by: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode.h [modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode.cpp [modify] https://crrev.com/0004bd334b0c485b2e4ece0bfae8812c7f107a0d/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp
,
Sep 24
,
Sep 27
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Sep 28
Thanks zhouzhenster@! The VRP panel decided to award $1,000 for this report. (And just a reminder about http://g.co/ChromeBugRewards#fuzzerprogram if you've got a fuzzer that we could run on your behalf!)
,
Sep 28
,
Oct 15
,
Oct 16
,
Nov 12
,
Dec 28
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Sep 5Components: Internals>Plugins>PDF
Labels: Security_Severity-Medium Security_Impact-Stable M-70