New issue
Advanced search Search tips
Issue 307
Starred by 2 users
Status: Fixed
Owner:
mjurczyk@google.com
Closed: Sep 2015
Cc:
project-...@google.com



Sign in to add a comment
 pdfium heap-based out-of-bounds read in opj_dwt_decode_1 (libopenjpeg)
Project Member Reported by mjurczyk@google.com, Mar 30 2015 Back to list 
The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:

--- cut ---
==22930==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000009a78 at pc 0x00000085e39d bp 0x7fff1beffc70 sp 0x7fff1beffc68
READ of size 4 at 0x61f000009a78 thread T0
    #0 0x85e39c in opj_dwt_decode_1 third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/dwt.c:313:42
    #1 0x85aae8 in opj_dwt_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/dwt.c:596:4
    #2 0x7bfd17 in opj_tcd_decode_tile third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/tcd.c:1633:31
    #3 0x792a20 in opj_j2k_decode_tile third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:7928:15
    #4 0x7a1926 in opj_j2k_decode_tiles third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:9442:23
    #5 0x79a5f8 in opj_j2k_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:7306:41
    #6 0x5b8f14 in opj_jp2_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c:1406:8
    #7 0x5b4af6 in opj_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/openjpeg.c:412:10
    #8 0x5aa689 in CJPX_Decoder::Init(unsigned char const*, int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:668:15
    #9 0x5acfb6 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:809:10
    #10 0xacf829 in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:638:21
    #11 0xac7f0c in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:598:9
    #12 0xac2be2 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:329:15
    #13 0xaac3b3 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:293:15
    #14 0xaabf0c in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #15 0xae01c3 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1443:15
    #16 0xae1006 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1503:19
    #17 0xab3be8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:327:9
    #18 0xaae197 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:453:9
    #19 0xa9c0fe in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:337:14
    #20 0xaa7fd1 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1136:21
    #21 0xaa6ad9 in CPDF_ProgressiveRenderer::Start(CPDF_RenderContext*, CFX_RenderDevice*, CPDF_RenderOptions const*, IFX_Pause*, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1079:5
    #22 0x51b033 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:731:2
    #23 0x51b79c in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:529:2
    #24 0x4cc56a in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:509:5
    #25 0x4ce8b2 in main third_party/pdfium/samples/pdfium_test.cc:608:5
    #26 0x7f4249fa6ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
0x61f000009a78 is located 8 bytes to the left of 3324-byte region [0x61f000009a80,0x61f00000a77c)
allocated by thread T0 here:
    #0 0x4a95bb in __interceptor_malloc
    #1 0x859689 in opj_dwt_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/dwt.c:572:2
    #2 0x7bfd17 in opj_tcd_decode_tile third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/tcd.c:1633:31
    #3 0x792a20 in opj_j2k_decode_tile third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:7928:15
    #4 0x7a1926 in opj_j2k_decode_tiles third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:9442:23
    #5 0x79a5f8 in opj_j2k_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/j2k.c:7306:41
    #6 0x5b8f14 in opj_jp2_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/jp2.c:1406:8
    #7 0x5b4af6 in opj_decode third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/libopenjpeg20/openjpeg.c:412:10
    #8 0x5aa689 in CJPX_Decoder::Init(unsigned char const*, int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:668:15
    #9 0x5acfb6 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:809:10
    #10 0xacf829 in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:638:21
    #11 0xac7f0c in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:598:9
    #12 0xac2be2 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:329:15
    #13 0xaac3b3 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:293:15
    #14 0xaabf0c in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #15 0xae01c3 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1443:15
    #16 0xae1006 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1503:19
    #17 0xab3be8 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:327:9
    #18 0xaae197 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:453:9
    #19 0xa9c0fe in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:337:14
    #20 0xaa7fd1 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1136:21
    #21 0xaa6ad9 in CPDF_ProgressiveRenderer::Start(CPDF_RenderContext*, CFX_RenderDevice*, CPDF_RenderOptions const*, IFX_Pause*, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1079:5
    #22 0x51b033 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:731:2
    #23 0x51b79c in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:529:2
    #24 0x4cc56a in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:509:5
    #25 0x4ce8b2 in main third_party/pdfium/samples/pdfium_test.cc:608:5
    #26 0x7f4249fa6ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
--- cut ---

The crash was reported at https://code.google.com/p/chromium/issues/detail?id=471797. Attached is the PDF file which triggers the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
asan_heap-oob_18d6f3a_3294_5693b112_c5d10811_3e319ce6_8f15338e_2d0f1980.pdf
155 KB Download
Project Member Comment 1 by scvitti@google.com, Apr 2 2015
Labels: -Reported-30-Mar-2015 Reported-2015-Mar-30
Project Member Comment 2 by mjurczyk@google.com, Jun 26 2015
Labels: -Reported-2015-Mar-30 Reported-2015-Jun-26
While filing the bug in the Chrome bug tracker for this specific issue, we failed to include the deadline language in the internal report due to an oversight, thus making it impossible to reasonably enforce the original deadline. This has now been fixed, and we are adjusting the labels accordingly to reflect the fact that the 90 day period starts today.
Project Member Comment 3 by hawkes@google.com, Sep 21 2015
Status: Fixed
Fixed in the 15 Sep M45 release.
Project Member Comment 4 by hawkes@google.com, Sep 22 2015
Labels: -Restrict-View-Commit
Comment 5 by wart...@gmail.com, May 6 2017 
Was this ever assigned a CVE?
Sign in to add a comment