|
|
pdfium heap-based out-of-bounds read in CPDF_SampledFunc::v_Call | ||||
| Project Member Reported by mjurczyk@google.com, Jan 29 2015 | Back to list | ||||
The following crash in latest pdfium has been discovered via fuzzing:
---
Rendering PDF file asan_heap-oob_88b9e3_6362_cov_2251911147_a2d2c610_cc7080dc_13562485_ffd13d6b_4d546a2f.
Non-linearized path...
=================================================================
==6996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fcb3cfff7fd at pc 0x88b9e3 bp 0x7fff5b2123f0 sp 0x7fff5b2123e8
READ of size 1 at 0x7fcb3cfff7fd thread T0
#0 0x88b9e2 in _GetBits32(unsigned char const*, int, int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:429
#1 0x8890de in CPDF_SampledFunc::v_Call(float*, float*) const pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:562
#2 0x895f9f in CPDF_Function::Call(float*, int, float*, int&) const pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:874
#3 0x84c09b in CPDF_SeparationCS::GetRGB(float*, float&, float&, float&) const pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:984
#4 0x858033 in CPDF_Color::GetRGB(int&, int&, int&) const pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:1417
#5 0x8a6ad5 in CPDF_ColorState::SetColor(CPDF_Color&, unsigned int&, CPDF_ColorSpace*, float*, int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp:259
#6 0x8a63a8 in CPDF_ColorState::SetFillColor(CPDF_ColorSpace*, float*, int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp:240
#7 0x8e6689 in CPDF_StreamContentParser::Handle_SetColorPS_Fill() pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1072
#8 0x8c9147 in CPDF_StreamContentParser::OnOperator(char const*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:341
#9 0x8f789f in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:62
#10 0x91b79a in CPDF_ContentParser::Continue(IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1092
#11 0x8145f8 in CPDF_PageObjects::ContinueParse(IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:704
#12 0x81a482 in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:906
#13 0x4c8c1c in FPDF_LoadPage pdfium/fpdfsdk/src/fpdfview.cpp:310
#14 0x49ac7e in RenderPdf(std::string const&, char const*, unsigned long, OutputFormat) pdfium/samples/pdfium_test.cc:412
#15 0x49e2a7 in main pdfium/samples/pdfium_test.cc:512
0x7fcb3cfff7fd is located 3 bytes to the left of 536870911-byte region [0x7fcb3cfff800,0x7fcb5cfff7ff)
allocated by thread T0 here:
#0 0x47d661 in calloc (pdfium/out/Debug/pdfium_test+0x47d661)
#1 0x9e0fcc in CPDF_SyntaxParser::ReadStream(CPDF_Dictionary*, PARSE_CONTEXT*, unsigned int, unsigned int) pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2476
#2 0x9ba432 in CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects*, unsigned int, unsigned int, int, PARSE_CONTEXT*, int) pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2220
#3 0x9bc313 in CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects*, long, unsigned int, PARSE_CONTEXT*) pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1399
#4 0x9c0b98 in CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects*, unsigned int, PARSE_CONTEXT*) pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1202
#5 0x95c6c6 in CPDF_IndirectObjects::GetIndirectObject(unsigned int, PARSE_CONTEXT*) pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:1218
#6 0x961f8d in CPDF_Object::GetDirect() const pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:231
#7 0x971569 in CPDF_Array::GetElementValue(unsigned int) const pdfium/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:423
#8 0x84a9f3 in CPDF_SeparationCS::v_Load(CPDF_Document*, CPDF_Array*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:954
#9 0x83d866 in CPDF_ColorSpace::Load(CPDF_Document*, CPDF_Object*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:1165
#10 0x865cd3 in CPDF_DocPageData::GetColorSpace(CPDF_Object*, CPDF_Dictionary*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_doc.cpp:452
#11 0x864287 in CPDF_Document::LoadColorSpace(CPDF_Object*, CPDF_Dictionary*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_doc.cpp:104
#12 0x8d5f34 in CPDF_StreamContentParser::FindColorSpace(CFX_ByteString const&) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1248
#13 0x8d62f9 in CPDF_StreamContentParser::Handle_SetColorSpace_Stroke() pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:606
#14 0x8c9147 in CPDF_StreamContentParser::OnOperator(char const*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:341
#15 0x8f789f in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:62
#16 0x91b79a in CPDF_ContentParser::Continue(IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1092
#17 0x8145f8 in CPDF_PageObjects::ContinueParse(IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:704
#18 0x81a482 in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:906
#19 0x4c8c1c in FPDF_LoadPage pdfium/fpdfsdk/src/fpdfview.cpp:310
#20 0x49ac7e in RenderPdf(std::string const&, char const*, unsigned long, OutputFormat) pdfium/samples/pdfium_test.cc:412
#21 0x49e2a7 in main pdfium/samples/pdfium_test.cc:512
SUMMARY: AddressSanitizer: heap-buffer-overflow pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:429 _GetBits32(unsigned char const*, int, int)
Shadow bytes around the buggy address:
0x0ff9e79f7ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e79f7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e79f7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e79f7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff9e79f7ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff9e79f7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0ff9e79f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e79f7f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e79f7f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e79f7f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9e79f7f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6996==ABORTING
---
The issue has been reported to Chrome Security in https://code.google.com/p/chromium/issues/detail?id=452455. Sample file attached.
Project Member
Comment 1
by
mjurczyk@google.com,
Jan 29 2015
,
Feb 2 2015
,
Feb 2 2015
,
Mar 4 2015
Fixed: http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html Part of catch-all CVE-2015-1231.
,
Jun 12 2015
|
|||||
| ► Sign in to add a comment | |||||
