bhanu475 / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

Security: Use-of-uninitialized-value in CJBig2_SDDProc::decode_Arith #130

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
VULNERABILITY DETAILS
Field "CJBig2_SDDProc::SDNUMEXSYMS" is potentially used when uninitialized. The 
attached bug report from Clang SA points to the undefined access. Full stack 
trace is:

CJBig2_SDDProc::decode_Arith(CJBig2_ArithDecoder*, JBig2ArithCtx*, 
JBig2ArithCtx*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation(IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation_FirstPage(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::decode_EmbedOrgnazation(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)

VERSION
Pdfium Version: Warning flagged on commit `b7cb36a` ``Merge to XFA.."
Operating System: NA
Label: Cr-Internals-Plugins-PDF

FIX
Initialize SDNUMEXSYMS in constructor of CJBig2_SDDProc.

REPRODUCTION CASE
Found via static analysis. So, no dynamic stack trace available.

Original issue reported on code.google.com by bsh...@gmail.com on 3 Mar 2015 at 10:10

GoogleCodeExporter commented 9 years ago
Oops. Adding missing attachment.

Original comment by bsh...@gmail.com on 3 Mar 2015 at 10:11

Attachments:

GoogleCodeExporter commented 9 years ago
Update: Figured that global stack in report was buggy. Here is the correct call 
stack leading to the bug. Concerned lib is libfxcodec.

CJBig2_SDDProc::decode_Arith(CJBig2_ArithDecoder*, JBig2ArithCtx*, 
JBig2ArithCtx*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CCodec_Jbig2Module::ContinueDecode(void*, IFX_Pause*)

Original comment by bsh...@gmail.com on 6 Mar 2015 at 12:39

GoogleCodeExporter commented 9 years ago

Original comment by thestig@chromium.org on 8 May 2015 at 9:37