243 - pdfium SIGSEGV in opj_j2k_update_image_data (libopenjpeg) - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Apr 2015
Cc:	project-...@google.com
Product-Chrome Deadline-90 Reported-2015-Jan-29 Vendor-Google Fixed-2015-Apr-28 CCProjectZeroMembers Severity-High Finder-mjurczyk

pdfium SIGSEGV in opj_j2k_update_image_data (libopenjpeg)

Project Member Reported by mjurczyk@google.com, Jan 29 2015

Back to list

The following crash in latest pdfium has been discovered via fuzzing:

---
ASAN:SIGSEGV
=================================================================
==6690==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8e096d5400 (pc 0x000000f3d486 sp 0x7fff7f60e5d0 bp 0x7fff7f60e6a0 T0)
    #0 0xf3d485 in opj_j2k_update_image_data pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:8162
    #1 0xf40dae in opj_j2k_decode_tiles pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9435
    #2 0xf3b5aa in opj_j2k_exec pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7292
    #3 0xf413dc in opj_j2k_decode pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9619
    #4 0xd5e567 in opj_jp2_decode pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1406
    #5 0xd5afe5 in opj_decode pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/openjpeg.c:412
    #6 0xd4e3ef in CJPX_Decoder::Init(unsigned char const*, int) pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:632
    #7 0xd55e79 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:773
    #8 0xad2cc7 in CPDF_DIBSource::LoadJpxBitmap() pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:650
    #9 0xac58ca in CPDF_DIBSource::CreateDecoder() pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:606
    #10 0xaba6ec in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335
    #11 0xa7d58b in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:293
    #12 0xa7c436 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
    #13 0xaf6b4b in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1497
    #14 0xaf9eb4 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1557
    #15 0xa933d8 in CPDF_ImageRenderer::StartLoadDIBSource() pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:326
    #16 0xa83b5b in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:452
    #17 0xa4fe86 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:334
    #18 0xa6e068 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1133
    #19 0xa6bd95 in CPDF_ProgressiveRenderer::Start(CPDF_RenderContext*, CFX_RenderDevice*, CPDF_RenderOptions const*, IFX_Pause*, int) pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1076
    #20 0x4cbc9e in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) pdfium/fpdfsdk/src/fpdfview.cpp:727
    #21 0x4ccb62 in FPDF_RenderPageBitmap pdfium/fpdfsdk/src/fpdfview.cpp:525
    #22 0x49b37b in RenderPdf(std::string const&, char const*, unsigned long, OutputFormat) pdfium/samples/pdfium_test.cc:426
    #23 0x49e2a7 in main pdfium/samples/pdfium_test.cc:512

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:8162 opj_j2k_update_image_data
==6690==ABORTING
---

The issue has been reported to Chrome Security in https://code.google.com/p/chromium/issues/detail?id=453553. Sample file attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

signal_sigsegv_f3d486_5661_cov_3376424123_90a69911_c00e8853_2439b9e4_867c9c20_905a6ab2
1.3 MB View Download

Project Member Comment 1 by scvitti@google.com, Feb 2 2015

Labels: -Reported-29-Jan-2015 Reported-2015-Jan-29

Comment 2 by cevans@google.com, Apr 30 2015

Labels: -Restrict-View-Commit Fixed-2015-Apr-28
Status: Fixed

Fixed in this release here: http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_28.html

► Sign in to add a comment