PDF crash in chrome - part0

[gcode-importer]

Originally reported on Google Code with ID 362

Attached is test files and fixes for PDF file crash in chrome. They are found and fixed
in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external

Reported by [email protected] on 2014-06-28 00:57:35

---

- _Attachment: [issue1-fuzz-asan_heap-uaf_7b68a2_2858_4845.pdf.zip](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-0/issue1-fuzz-asan_heap-uaf_7b68a2_2858_4845.pdf.zip)_ - _Attachment: [openjpeg security bugs.txt](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-0/openjpeg security bugs.txt)_

[gcode-importer]

The title should be "PDF crash in chrome - part0"

Reported by [email protected] on 2014-06-28 01:05:38

[gcode-importer]

Reported by detonin on 2014-09-19 09:41:11

• Status changed: Accepted

[gcode-importer]

Reported by detonin on 2014-09-19 09:41:24

[gcode-importer]

r2894

./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp

[INFO] Start to read j2k main header (129).
=================================================================
==3018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x02903b68 at pc 0x00296aa6
bp 0xbffc94f8 sp 0xbffc90dc
READ of size 96613 at 0x02903b68 thread T0
    #0 0x296aa5 in __asan_memcpy (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x27aa5)
    #1 0x76f31d in j2k_read_ppm_v3 /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:3636:17
    #2 0x792e44 in opj_j2k_read_header_procedure /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7132:23
    #3 0x779bd7 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #4 0x77986d in opj_j2k_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:6719:15
    #5 0x79e08c in opj_jp2_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2310:9
    #6 0x7a4b49 in opj_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:391:10
    #7 0x395ef in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x65ef)
    #8 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #9 0x4 (<unknown module>)

0x02903b68 is located 0 bytes to the right of 1000-byte region [0x02903780,0x02903b68)
allocated by thread T0 here:
    #0 0x29f30a in wrap_calloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3030a)
    #1 0x77f272 in opj_j2k_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:8286:72
    #2 0x79eeb1 in opj_jp2_create /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2549:15
    #3 0x7a4523 in opj_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:318:23
    #4 0x39574 in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x6574)
    #5 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #6 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x20520710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x20520760: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x20520770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20520780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20520790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x205207a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x205207b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==3018==ABORTING

Reported by mayeut on 2014-10-03 18:59:34

---

- _Attachment: [2894.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-4/2894.jp2)_

[gcode-importer]

Reported by mayeut on 2014-10-03 19:00:12

---

- _Attachment: [2863.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-5/2863.jp2)_

[gcode-importer]

./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

==3028==ERROR: AddressSanitizer failed to allocate 0xb2003000 (-1308610560) bytes of
LargeMmapAllocator (errno: 12)
==3028==Process memory map follows:
    0x9524f000-0x95274000   /usr/lib/libc++abi.dylib
    0xa090b000-0xa090c000   /usr/lib/libc++abi.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++abi.dylib
    0x9902b000-0x99050000   /usr/lib/system/libxpc.dylib
    0xa15b1000-0xa15b3000   /usr/lib/system/libxpc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libxpc.dylib
    0x97309000-0x97310000   /usr/lib/system/libunwind.dylib
    0xa0b03000-0xa0b04000   /usr/lib/system/libunwind.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunwind.dylib
    0x967b8000-0x967ba000   /usr/lib/system/libunc.dylib
    0xa0a69000-0xa0a6a000   /usr/lib/system/libunc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunc.dylib
    0x910e6000-0x910e8000   /usr/lib/system/libsystem_sandbox.dylib
    0xa03b2000-0xa03b3000   /usr/lib/system/libsystem_sandbox.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_sandbox.dylib
    0x9bb6e000-0x9bb76000   /usr/lib/system/libsystem_pthread.dylib
    0xa187c000-0xa187e000   /usr/lib/system/libsystem_pthread.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_pthread.dylib
    0x944d5000-0x944db000   /usr/lib/system/libsystem_platform.dylib
    0xa082f000-0xa0830000   /usr/lib/system/libsystem_platform.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_platform.dylib
    0x904c8000-0x904d2000   /usr/lib/system/libsystem_notify.dylib
    0xa026e000-0xa026f000   /usr/lib/system/libsystem_notify.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_notify.dylib
    0x930c7000-0x930f3000   /usr/lib/system/libsystem_network.dylib
    0xa06e6000-0xa06e8000   /usr/lib/system/libsystem_network.dylib
    0xa06e8000-0xa06e9000   /usr/lib/system/libsystem_network.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_network.dylib
    0x93178000-0x93191000   /usr/lib/system/libsystem_malloc.dylib
    0xa06fb000-0xa06fc000   /usr/lib/system/libsystem_malloc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_malloc.dylib
    0x982f8000-0x9832a000   /usr/lib/system/libsystem_m.dylib
    0xa14a3000-0xa14a4000   /usr/lib/system/libsystem_m.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_m.dylib
    0x9ba7e000-0x9ba9c000   /usr/lib/system/libsystem_kernel.dylib
    0xa186d000-0xa186f000   /usr/lib/system/libsystem_kernel.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_kernel.dylib
    0x9bcf4000-0x9bd1d000   /usr/lib/system/libsystem_info.dylib
    0xa18a0000-0xa18a2000   /usr/lib/system/libsystem_info.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_info.dylib
    0x9a444000-0x9a44d000   /usr/lib/system/libsystem_dnssd.dylib
    0xa1686000-0xa1687000   /usr/lib/system/libsystem_dnssd.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_dnssd.dylib
    0x998d5000-0x998d8000   /usr/lib/system/libsystem_configuration.dylib
    0xa160d000-0xa160e000   /usr/lib/system/libsystem_configuration.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_configuration.dylib
    0x90587000-0x9061a000   /usr/lib/system/libsystem_c.dylib
    0xa0274000-0xa027b000   /usr/lib/system/libsystem_c.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_c.dylib
    0x95154000-0x95156000   /usr/lib/system/libsystem_blocks.dylib
    0xa08f9000-0xa08fa000   /usr/lib/system/libsystem_blocks.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_blocks.dylib
    0x930a9000-0x930bc000   /usr/lib/system/libsystem_asl.dylib
    0xa06e3000-0xa06e4000   /usr/lib/system/libsystem_asl.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_asl.dylib
    0x95432000-0x95434000   /usr/lib/system/libremovefile.dylib
    0xa093c000-0xa093d000   /usr/lib/system/libremovefile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libremovefile.dylib
    0x9ba9c000-0x9ba9f000   /usr/lib/system/libquarantine.dylib
    0xa186f000-0xa1870000   /usr/lib/system/libquarantine.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libquarantine.dylib
    0x97681000-0x97686000   /usr/lib/system/libmacho.dylib
    0xa1374000-0xa1375000   /usr/lib/system/libmacho.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libmacho.dylib
    0x98f2c000-0x98f35000   /usr/lib/system/liblaunch.dylib
    0xa1596000-0xa1597000   /usr/lib/system/liblaunch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/liblaunch.dylib
    0x96d85000-0x96d86000   /usr/lib/system/libkeymgr.dylib
    0xa0ad7000-0xa0ad8000   /usr/lib/system/libkeymgr.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libkeymgr.dylib
    0x9aaee000-0x9aaf2000   /usr/lib/system/libdyld.dylib
    0xa173f000-0xa1740000   /usr/lib/system/libdyld.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdyld.dylib
    0x930f5000-0x9310e000   /usr/lib/system/libdispatch.dylib
    0xa06ea000-0xa06ee000   /usr/lib/system/libdispatch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdispatch.dylib
    0x97688000-0x976d9000   /usr/lib/system/libcorecrypto.dylib
    0xa1376000-0xa1379000   /usr/lib/system/libcorecrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcorecrypto.dylib
    0x9b4de000-0x9b4e7000   /usr/lib/system/libcopyfile.dylib
    0xa1814000-0xa1815000   /usr/lib/system/libcopyfile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcopyfile.dylib
    0x9c0c3000-0x9c0c9000   /usr/lib/system/libcompiler_rt.dylib
    0xa18ce000-0xa18d0000   /usr/lib/system/libcompiler_rt.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcompiler_rt.dylib
    0x90008000-0x90014000   /usr/lib/system/libcommonCrypto.dylib
    0xa0252000-0xa0253000   /usr/lib/system/libcommonCrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcommonCrypto.dylib
    0x9c1ad000-0x9c1b2000   /usr/lib/system/libcache.dylib
    0xa18e2000-0xa18e3000   /usr/lib/system/libcache.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcache.dylib
    0x9a905000-0x9a95b000   /usr/lib/libc++.1.dylib
    0xa170e000-0xa1714000   /usr/lib/libc++.1.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++.1.dylib
    0x930f3000-0x930f5000   /usr/lib/libSystem.B.dylib
    0xa06e9000-0xa06ea000   /usr/lib/libSystem.B.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libSystem.B.dylib
    0x0081f000-0x008a9000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x008a9000-0x008b0000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x008b0000-0x008ca000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x00332000-0x0038f000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x0038f000-0x007e8000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x007e8000-0x0081c000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x000f5000-0x000f6000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x000f6000-0x002c2000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x002c2000-0x002dd000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x002dd000-0x0032f000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
==3028==End of process memory map.
==3028==AddressSanitizer CHECK failed: /private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:121
"(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x36c227 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a227)
    #1 0x3706a3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3e6a3)

Reported by mayeut on 2014-10-03 19:02:11

[gcode-importer]

kdu_expand  -i ../../data/issue360/2863.jp2 -o 0.bmp
Kakadu Core Error:
Main code-stream header appears corrupt!

Reported by mayeut on 2014-10-03 19:52:24

[gcode-importer]

This patch from bo_xu fixes error for 2984.jp2

./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

[ERROR] invalid box size -1308622828 (66747970)
ERROR -> opj_decompress: failed to read the header

kdu_expand -i ../../data/issue360/2894.jp2 -o 0.bmp
Error in Kakadu File Format Support:
JP2-family data source contains a malformed file type box.

Reported by mayeut on 2014-10-03 19:56:54

---

- _Attachment: [issue362-2894.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-8/issue362-2894.patch)_

[gcode-importer]

This patch makes the following tests fail :
105:ETS-JP2-file8.jp2-decode [ERROR] invalid box size 910 (786d6c20)
106:ETS-JP2-file8.jp2-compare2ref
107:NR-JP2-file8.jp2-compare2base
582:NR-DEC-text_GBR.jp2-29-decode [ERROR] invalid box size 655360 (883)
583:NR-DEC-text_GBR.jp2-29-decode-md5
593:NR-DEC-mem-b2b86b74-2753.jp2-35-decode [ERROR] invalid box size 655360 (64d)
594:NR-DEC-mem-b2b86b74-2753.jp2-35-decode-md5
603:NR-DEC-issue206_image-000.jp2-42-decode [ERROR] invalid box size 655360 (5cc)
604:NR-DEC-issue206_image-000.jp2-42-decode-md5
629:NR-DEC-issue254.jp2-65-decode [ERROR] invalid box size 655360 (3bd8)
637:NR-DEC-issue208.jp2-69-decode [ERROR] invalid box size 655360 (68)
638:NR-DEC-issue208.jp2-69-decode-md5

Reported by mayeut on 2014-10-05 15:35:50

[gcode-importer]

This patch allow file8 to decode properly.

After analysis, the other files only decode properly before the patch because it's
the last box & box is skipped (no handler). If skip is modified to check number of
byte skipped falls in file size range then it fails :
static OPJ_OFF_T opj_skip_from_file (OPJ_OFF_T p_nb_bytes, FILE * p_user_data)
{
    if (p_nb_bytes > 0) {
        OPJ_BYTE l_byte;
        if (OPJ_FSEEK(p_user_data,p_nb_bytes-1,SEEK_CUR)) {
            return -1;
        }
        if (opj_read_from_file(&l_byte, 1, p_user_data) != 1) {
            return -1;
        }
    }

    return p_nb_bytes;
}
Are those some special kind of boxes ?

Reported by mayeut on 2014-10-05 17:05:40

---

- _Attachment: [issue362-2894.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-10/issue362-2894.patch)_

[gcode-importer]

This patch only does the check if a handler exists.
Before trying to reallocate data.

It should be OK to apply. CTest running.

Reported by mayeut on 2014-10-05 17:57:23

---

- _Attachment: [issue362-2894.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-11/issue362-2894.patch)_

[gcode-importer]

OK in CDash

./bin/opj_decompress -i ../../data/issue360/2866.jp2 -o 0.bmp

[ERROR] Invalid box size -738197484 for box 'ftyp'. Need -738197492 bytes, 602 bytes
remaining 
ERROR -> opj_decompress: failed to read the header

./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

[ERROR] Invalid box size -1308622828 for box 'ftyp'. Need -1308622836 bytes, 605 bytes
remaining 
ERROR -> opj_decompress: failed to read the header

Issue remaining on 2863.jp2

Reported by mayeut on 2014-10-05 18:49:42

[gcode-importer]

This patch corrects the issue remaining. OK in CDash

./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp

[INFO] Start to read j2k main header (129).
[ERROR] Error reading PPM marker
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

Reported by mayeut on 2014-10-05 21:00:46

---

- _Attachment: [issue362-2863.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-362/comment-13/issue362-2863.patch)_

[gcode-importer]

Reported by mayeut on 2014-10-06 11:44:45

• Status changed: Verified

[gcode-importer]

Issue 360 has been merged into this issue.

Reported by mayeut on 2014-10-06 11:49:05

[gcode-importer]

This issue was closed by revision r2896.

Reported by detonin on 2014-10-06 21:05:26

• Status changed: Fixed