pdfium static out-of-bounds read in CXFA_ItemLayoutProcessor::CalculatePositionedContainerPos

[GoogleCodeExporter]

The following crash was encountered in pdfium (the Chrome PDF renderer) during 
PDF fuzzing:

--- cut ---
=================================================================
==8436==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x0000026980e4 at pc 0x000001d39789 bp 0x7fff23929830 sp 0x7fff23929828
READ of size 1 at 0x0000026980e4 thread T0
    #0 0x1d39788 in CXFA_ItemLayoutProcessor::CalculatePositionedContainerPos(CXFA_Node*, float, float, float&, float&) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:753:5
    #1 0x1d3b8f2 in CXFA_ItemLayoutProcessor::DoLayoutPositionedContainer(CXFA_LayoutContext*) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:908:13
    #2 0x1d3aa9c in CXFA_ItemLayoutProcessor::DoLayout(int, float, float, CXFA_LayoutContext*) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:2328:25
    #3 0x1d4b7de in XFA_ItemLayoutProcessor_InsertFlowedItem(CXFA_ItemLayoutProcessor*, CXFA_ItemLayoutProcessor*&, int, int, float, XFA_ATTRIBUTEENUM, unsigned char&, CFX_ArrayTemplate<CXFA_ContentLayoutItemImpl*> (&) [3], int, float, float, float&, float&, float&, float&, int&, int&, CXFA_LayoutContext*, int) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:1566:21
    #4 0x1d48712 in CXFA_ItemLayoutProcessor::DoLayoutFlowedContainer(int, XFA_ATTRIBUTEENUM, float, float, CXFA_LayoutContext*, int) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:2085:60
    #5 0x1d3aa8c in CXFA_ItemLayoutProcessor::DoLayout(int, float, float, CXFA_LayoutContext*) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:2323:32
    #6 0x1d2b63b in CXFA_LayoutProcessor::DoLayout(IFX_Pause*) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/parser/xfa_document_layout_imp.cpp:99:19
    #7 0x1cb6cd8 in CXFA_FFDocView::DoLayout(IFX_Pause*) /ssd/mbarbella/beh/src/third_party/pdfium/xfa/src/fxfa/src/app/xfa_ffdocview.cpp:113:15
    #8 0x1ca3c51 in CPDFXFA_Document::LoadXFADoc() /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:161:6
    #9 0x4a8440 in FPDF_LoadXFA /ssd/mbarbella/beh/src/third_party/pdfium/fpdfsdk/src/fpdfview.cpp:313:9
    #10 0x4a47a9 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, OutputFormat) /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:409:8
    #11 0x4a5537 in main /ssd/mbarbella/beh/src/third_party/pdfium/samples/pdfium_test.cc:529:5
    #12 0x7f7f85297ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
0x0000026980e4 is located 0 bytes to the right of global variable nNextPos 
defined in 
../../third_party/pdfium/xfa/src/fxfa/src/parser/xfa_layout_itemlayout.cpp:752:2
7 (0x26980c0) of size 36
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
--- cut ---

The crash was reported at 
https://code.google.com/p/chromium/issues/detail?id=471991. Attached is the PDF 
file which triggers the crash.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

Original issue reported on code.google.com by mjurc...@google.com on 31 Mar 2015 at 9:34

Attachments:

• asan_static-oob_7effb97_116_03051e29_eedcfcb8_2719d77f_023443b3_7b10fe51.pdf

[GoogleCodeExporter]

Original comment by scvi...@google.com on 2 Apr 2015 at 5:11

• Added labels: Reported-2015-Mar-31
• Removed labels: Reported-31-Mar-2015

[GoogleCodeExporter]

Original comment by mjurc...@google.com on 26 Jun 2015 at 12:27

• Changed state: Fixed
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Can somebody please remove the view restrictions from the chromium bug? This 
report is to terse to easily infer what the root cause was.

Original comment by berendjanwever on 1 Jul 2015 at 1:03