PDF crash in chrome - part2 (due to attachment limit)

GoogleCodeExporter commented 9 years ago

Attached is test files and fixes for PDF file crash in chrome. They are found 
and fixed in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external

Original issue reported on code.google.com by bo...@foxitsoftware.com on 28 Jun 2014 at 1:04

Attachments:

[openjpeg security issues-part2.zip](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-0/openjpeg security issues-part2.zip)

GoogleCodeExporter commented 9 years ago

Original comment by antonin on 19 Sep 2014 at 9:41

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

@bo_xu,

r2894, no warning with Asan on MacOS X with 
issue2-fuzz-signal_sigsegv_6b88de_1123_2509.pdf
Could you check this one ?

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 6:44

GoogleCodeExporter commented 9 years ago

r2894

903.jp2 extracted from issue4-fuzz-51.pdf

./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
==2760==ERROR: AddressSanitizer failed to allocate 0x80003000 (-2147471360) 
bytes of LargeMmapAllocator (errno: 12)
==2760==Process memory map follows:
    0x9524f000-0x95274000   /usr/lib/libc++abi.dylib
    0xa090b000-0xa090c000   /usr/lib/libc++abi.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++abi.dylib
    0x9902b000-0x99050000   /usr/lib/system/libxpc.dylib
    0xa15b1000-0xa15b3000   /usr/lib/system/libxpc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libxpc.dylib
    0x97309000-0x97310000   /usr/lib/system/libunwind.dylib
    0xa0b03000-0xa0b04000   /usr/lib/system/libunwind.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunwind.dylib
    0x967b8000-0x967ba000   /usr/lib/system/libunc.dylib
    0xa0a69000-0xa0a6a000   /usr/lib/system/libunc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunc.dylib
    0x910e6000-0x910e8000   /usr/lib/system/libsystem_sandbox.dylib
    0xa03b2000-0xa03b3000   /usr/lib/system/libsystem_sandbox.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_sandbox.dylib
    0x9bb6e000-0x9bb76000   /usr/lib/system/libsystem_pthread.dylib
    0xa187c000-0xa187e000   /usr/lib/system/libsystem_pthread.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_pthread.dylib
    0x944d5000-0x944db000   /usr/lib/system/libsystem_platform.dylib
    0xa082f000-0xa0830000   /usr/lib/system/libsystem_platform.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_platform.dylib
    0x904c8000-0x904d2000   /usr/lib/system/libsystem_notify.dylib
    0xa026e000-0xa026f000   /usr/lib/system/libsystem_notify.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_notify.dylib
    0x930c7000-0x930f3000   /usr/lib/system/libsystem_network.dylib
    0xa06e6000-0xa06e8000   /usr/lib/system/libsystem_network.dylib
    0xa06e8000-0xa06e9000   /usr/lib/system/libsystem_network.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_network.dylib
    0x93178000-0x93191000   /usr/lib/system/libsystem_malloc.dylib
    0xa06fb000-0xa06fc000   /usr/lib/system/libsystem_malloc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_malloc.dylib
    0x982f8000-0x9832a000   /usr/lib/system/libsystem_m.dylib
    0xa14a3000-0xa14a4000   /usr/lib/system/libsystem_m.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_m.dylib
    0x9ba7e000-0x9ba9c000   /usr/lib/system/libsystem_kernel.dylib
    0xa186d000-0xa186f000   /usr/lib/system/libsystem_kernel.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_kernel.dylib
    0x9bcf4000-0x9bd1d000   /usr/lib/system/libsystem_info.dylib
    0xa18a0000-0xa18a2000   /usr/lib/system/libsystem_info.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_info.dylib
    0x9a444000-0x9a44d000   /usr/lib/system/libsystem_dnssd.dylib
    0xa1686000-0xa1687000   /usr/lib/system/libsystem_dnssd.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_dnssd.dylib
    0x998d5000-0x998d8000   /usr/lib/system/libsystem_configuration.dylib
    0xa160d000-0xa160e000   /usr/lib/system/libsystem_configuration.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_configuration.dylib
    0x90587000-0x9061a000   /usr/lib/system/libsystem_c.dylib
    0xa0274000-0xa027b000   /usr/lib/system/libsystem_c.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_c.dylib
    0x95154000-0x95156000   /usr/lib/system/libsystem_blocks.dylib
    0xa08f9000-0xa08fa000   /usr/lib/system/libsystem_blocks.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_blocks.dylib
    0x930a9000-0x930bc000   /usr/lib/system/libsystem_asl.dylib
    0xa06e3000-0xa06e4000   /usr/lib/system/libsystem_asl.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_asl.dylib
    0x95432000-0x95434000   /usr/lib/system/libremovefile.dylib
    0xa093c000-0xa093d000   /usr/lib/system/libremovefile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libremovefile.dylib
    0x9ba9c000-0x9ba9f000   /usr/lib/system/libquarantine.dylib
    0xa186f000-0xa1870000   /usr/lib/system/libquarantine.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libquarantine.dylib
    0x97681000-0x97686000   /usr/lib/system/libmacho.dylib
    0xa1374000-0xa1375000   /usr/lib/system/libmacho.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libmacho.dylib
    0x98f2c000-0x98f35000   /usr/lib/system/liblaunch.dylib
    0xa1596000-0xa1597000   /usr/lib/system/liblaunch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/liblaunch.dylib
    0x96d85000-0x96d86000   /usr/lib/system/libkeymgr.dylib
    0xa0ad7000-0xa0ad8000   /usr/lib/system/libkeymgr.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libkeymgr.dylib
    0x9aaee000-0x9aaf2000   /usr/lib/system/libdyld.dylib
    0xa173f000-0xa1740000   /usr/lib/system/libdyld.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdyld.dylib
    0x930f5000-0x9310e000   /usr/lib/system/libdispatch.dylib
    0xa06ea000-0xa06ee000   /usr/lib/system/libdispatch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdispatch.dylib
    0x97688000-0x976d9000   /usr/lib/system/libcorecrypto.dylib
    0xa1376000-0xa1379000   /usr/lib/system/libcorecrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcorecrypto.dylib
    0x9b4de000-0x9b4e7000   /usr/lib/system/libcopyfile.dylib
    0xa1814000-0xa1815000   /usr/lib/system/libcopyfile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcopyfile.dylib
    0x9c0c3000-0x9c0c9000   /usr/lib/system/libcompiler_rt.dylib
    0xa18ce000-0xa18d0000   /usr/lib/system/libcompiler_rt.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcompiler_rt.dylib
    0x90008000-0x90014000   /usr/lib/system/libcommonCrypto.dylib
    0xa0252000-0xa0253000   /usr/lib/system/libcommonCrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcommonCrypto.dylib
    0x9c1ad000-0x9c1b2000   /usr/lib/system/libcache.dylib
    0xa18e2000-0xa18e3000   /usr/lib/system/libcache.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcache.dylib
    0x9a905000-0x9a95b000   /usr/lib/libc++.1.dylib
    0xa170e000-0xa1714000   /usr/lib/libc++.1.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++.1.dylib
    0x930f3000-0x930f5000   /usr/lib/libSystem.B.dylib
    0xa06e9000-0xa06ea000   /usr/lib/libSystem.B.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libSystem.B.dylib
    0x0073a000-0x007c4000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x007c4000-0x007cb000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x007cb000-0x007e5000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x0024d000-0x002aa000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x002aa000-0x00703000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x00703000-0x00737000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x00012000-0x00013000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x00013000-0x001df000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x001df000-0x001fa000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x001fa000-0x0024c000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
==2760==End of process memory map.
==2760==AddressSanitizer CHECK failed: 
/private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_comm
on/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x287227 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a227)
    #1 0x28b6a3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3e6a3)

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 6:50

Attachments:

903.jp2

GoogleCodeExporter commented 9 years ago

I tested "fuzz-signal_sigsegv_6b88de_1123_2509.pdf" and "fuzz-51.pdf" and can 
not reproduce the crash. They should have been fixed. Thanks.

Original comment by bo...@foxitsoftware.com on 3 Oct 2014 at 7:42

GoogleCodeExporter commented 9 years ago

kdu_expand  -i ../../data/issue364/903.jp2 -o 0.bmp
Error in Kakadu File Format Support:
JPX source contains no image header box for a codestream.  The image header
(ihdr) box cannot be found in a codestream header (chdr) box, and does not
exist within a default JP2 header (jp2h) box.

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 8:15

GoogleCodeExporter commented 9 years ago

On MacOS X x64 :
./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
==25543==WARNING: AddressSanitizer failed to allocate 0x0017ffa001c8 bytes
==25543==AddressSanitizer's allocator is terminating the process instead of 
returning 0
==25543==If you don't like this behavior set allocator_may_return_null=1
==25543==AddressSanitizer CHECK failed: 
/private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_comm
on/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0)
    #0 0x10db4d5b3 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x345b3)
    #1 0x10db50c41 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x37c41)

with allocation failed allowed, tried to allocate large amounts of memory, 
swap, ... several minutes until system was responsive enough to interrupt the 
process.

We should fix ASAP

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 8:24

GoogleCodeExporter commented 9 years ago

MacOS x64

38.jp2 from issue2-fuzz-signal_sigsegv_6b88de_1123_2509.pdf

./bin/opj_decompress -i ../../data/issue364/38.jp2 -o 0.bmp

ASAN:SIGSEGV
=================================================================
==25804==ERROR: AddressSanitizer: SEGV on unknown address 0x619100000fe6 (pc 
0x00010a593fc1 bp 0x7fff5656c2b0 sp 0x7fff5656c2b0 T0)
    #0 0x10a593fc0 in opj_read_bytes_LE /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/cio.c:87:3
    #1 0x10a5cfc76 in opj_jp2_read_boxhdr_char /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2237:2
    #2 0x10a5c7ee5 in opj_jp2_read_jp2h /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2184:9
    #3 0x10a5cedab in opj_jp2_read_header_procedure /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1874:10
    #4 0x10a5cd32a in opj_jp2_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1925:26
    #5 0x10a5cdd84 in opj_jp2_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2306:8
    #6 0x109694c50 in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x100004c50)
    #7 0x7fff826b05fc in start (/usr/lib/system/libdyld.dylib+0x35fc)
    #8 0x4 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/cio.c:87 opj_read_bytes_LE
==25804==ABORTING

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 8:28

GoogleCodeExporter commented 9 years ago

Patch inspired from the one provided by bo_xu for 38.jp2

./bin/opj_decompress -i ../../data/issue364/38.jp2 -o 0.bmp

[ERROR] Box length is inconsistent.
[ERROR] Stream error while reading JP2 Header box
ERROR -> opj_decompress: failed to read the header

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 8:38

Attachments:

GoogleCodeExporter commented 9 years ago

Patch issue364-38.patch  tested against Test Suite & OK

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 3:40

GoogleCodeExporter commented 9 years ago

Original comment by m.darb...@gmail.com on 6 Oct 2014 at 11:46

Changed state: Verified

GoogleCodeExporter commented 9 years ago

Changed status from Verified to Started (only one out of 2 issues solved)

Original comment by m.darb...@gmail.com on 6 Oct 2014 at 11:47

Changed state: Started

GoogleCodeExporter commented 9 years ago

This issue was updated by revision r2897.

issue364-38.patch applied. Thanks Matthieu.

Original comment by antonin on 6 Oct 2014 at 9:05

GoogleCodeExporter commented 9 years ago

Patch for image 903. Tested against test suite & OK.

jp2 header does not contain an ihdr box which is required by the standard.

./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[ERROR] Stream error while reading JP2 Header box: no 'ihdr' box.
ERROR -> opj_decompress: failed to read the header

Original comment by m.darb...@gmail.com on 8 Oct 2014 at 9:01

Changed state: Verified

Attachments:

issue364-903.patch

GoogleCodeExporter commented 9 years ago

Original comment by m.darb...@gmail.com on 8 Oct 2014 at 9:01

GoogleCodeExporter commented 9 years ago

This issue was closed by revision r2905.

Original comment by antonin on 21 Oct 2014 at 12:35

Changed state: Fixed

JonBCode / openjpeg

PDF crash in chrome - part2 (due to attachment limit) #364