pdfium unmapped memory read (SIGSEGV) crash in CPDF_SampledFunc::v_Call

[GoogleCodeExporter]

The following crash was encountered in pdfium (the Chrome PDF renderer) during 
PDF fuzzing:

--- cut ---
=================================================================
==16335==ERROR: AddressSanitizer: SEGV on unknown address 0x7f7aedf89800 (pc 
0x000000598373 bp 0x7fff03966370 sp 0x7fff039660a0 T0)
    #0 0x598372 in CPDF_SampledFunc::v_Call(float*, float*) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:429:13
    #1 0x59b486 in CPDF_Function::Call(float*, int, float*, int&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:874:5
    #2 0x58772d in CPDF_SeparationCS::GetRGB(float*, float&, float&, float&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:984:5
    #3 0x58a73e in CPDF_Color::GetRGB(int&, int&, int&) const /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp:1417:10
    #4 0x59f5c7 in CPDF_ColorState::SetColor(CPDF_Color&, unsigned int&, CPDF_ColorSpace*, float*, int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp:259:11
    #5 0x5b79ad in CPDF_StreamContentParser::Handle_SetColorPS_Fill() /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1072:9
    #6 0x5a78d9 in CPDF_StreamContentParser::OnOperator(char const*) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:341:13
    #7 0x5bf64f in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:62:21
    #8 0x5ca5ed in CPDF_ContentParser::Continue(IFX_Pause*) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1091:36
    #9 0x57aaaa in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) /ssd/mbarbella/beh/src/third_party/pdfium/core/src/fpdfapi/fpdf_page/fpdf_page.cpp:704:5
    #10 0x1cadf6a in CPDFXFA_Page::LoadPDFPage() /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfxfa/fpdfxfa_page.cpp:61:3
    #11 0x1ca4354 in CPDFXFA_Document::GetPage(int) /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:218:18
    #12 0x4a8886 in FPDF_LoadPage /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfview.cpp:447:9
    #13 0x4a48be in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, OutputFormat) /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:429:22
    #14 0x4a5537 in main /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:529:5
    #15 0x7f7b64c8eec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
--- cut ---

The crash was reported at 
https://code.google.com/p/chromium/issues/detail?id=471990. Attached is the PDF 
file which triggers the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 31 Mar 2015 at 9:28

Attachments:

• signal_sigsegv_8a57d6_9705_fa7f7984_b494b941_3138d00d_591d2fbf_2e0e4bd2.pdf

[GoogleCodeExporter]

Original comment by scvi...@google.com on 2 Apr 2015 at 5:12

• Added labels: Reported-2015-Mar-31
• Removed labels: Reported-31-Mar-2015

[GoogleCodeExporter]

While filing the bug in the Chrome bug tracker for this specific issue, we 
failed to include the deadline language in the internal report due to an 
oversight, thus making it impossible to reasonably enforce the original 
deadline. This has now been fixed, and we are adjusting the labels accordingly 
to reflect the fact that the 90 day period starts today.

Original comment by mjurc...@google.com on 26 Jun 2015 at 9:25

• Added labels: Reported-2015-Jun-26
• Removed labels: Reported-2015-Mar-31

[GoogleCodeExporter]

Fixed in M44 (44.0.2403.89) on July 21.

Original comment by haw...@google.com on 21 Sep 2015 at 10:42

• Changed state: Fixed
• Removed labels: Restrict-View-Commit