PDF crash in chrome - part1

GoogleCodeExporter commented 9 years ago

Attached is test files and fixes for PDF file crash in chrome. They are found 
and fixed in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external

Original issue reported on code.google.com by bo...@foxitsoftware.com on 28 Jun 2014 at 1:01

Attachments:

issue3-fuzz-asan_heap-oob_6bae99_3155_5245.zip

GoogleCodeExporter commented 9 years ago

Original comment by antonin on 19 Sep 2014 at 9:41

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

@bo_xu,

r2894
No crash with ASAN_OPTIONS=allocator_may_return_null=1 on MacOS X i386

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 6:57

GoogleCodeExporter commented 9 years ago

I tested on Ubuntu 12.04 with Asan and can see the crash.

Original comment by bo...@foxitsoftware.com on 3 Oct 2014 at 7:44

GoogleCodeExporter commented 9 years ago

WARNING: No imsbtree created.
==4471==WARNING: AddressSanitizer failed to allocate 0xfffffffe bytes
==4471==AddressSanitizer's allocator is terminating the process instead of 
returning 0
==4471==If you don't like this behavior set allocator_may_return_null=1
==4471==AddressSanitizer CHECK failed: 
/work/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_a
llocator.cc:149 "((0)) != (0)" (0x0, 0x0)
    #0 0x80df67d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ??:0:0
    #1 0x80e38ff in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ??:0:0
    #2 0x80e22aa in __sanitizer::AllocatorReturnNull() ??:0:0
    #3 0x80683a8 in __asan::asan_realloc(void*, unsigned long, __sanitizer::StackTrace*) ??:0:0
    #4 0x80d67b7 in realloc ??:0:0
    #5 0x84a51f2 in opj_j2k_read_tile_header /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7617:74
    #6 0x84bb8ed in opj_j2k_decode_tiles /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9277:23
    #7 0x84acddd in opj_j2k_exec /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7187:41
    #8 0x84acddd in opj_j2k_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9496:0
    #9 0x8370406 in opj_jp2_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1300:8
    #10 0x836c6e1 in opj_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/openjpeg.c:412:10
    #11 0x8364519 in CJPX_Decoder::Init(unsigned char const*, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:626:15
    #12 0x8365938 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:767:10
    #13 0x82cac0d in CPDF_DIBSource::LoadJpxBitmap() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:643:21
    #14 0x82c614e in CPDF_DIBSource::CreateDecoder() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:599:9
    #15 0x82c1f94 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335:15
    #16 0x82b0245 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:310:15
    #17 0x82afe3c in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #18 0x82d3499 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1489:15
    #19 0x82d43aa in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1549:19
    #20 0x82b5c2b in CPDF_ImageRenderer::StartLoadDIBSource() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:371:9
    #21 0x82b1a32 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:525:9
    #22 0x82a2fc6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:350:14
    #23 0x82acb9e in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1175:21
    #24 0x82ab79a in CPDF_ProgressiveRenderer::Start(CPDF_RenderContext*, CFX_RenderDevice*, CPDF_RenderOptions const*, IFX_Pause*, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1114:5
    #25 0x80f6952 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:789:2
    #26 0x80f6cf1 in FPDF_RenderPageBitmap /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:586:2
    #27 0x80f336b in RenderPdf(char const*, char const*, unsigned int, OutputFormat) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:324:5
    #28 0x80f3e0d in main /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:406:7
    #29 0xf72984d2 in __libc_start_main ??:0:0
    #30 0x80f2484 in _start ??:0:0

Original comment by bo...@foxitsoftware.com on 3 Oct 2014 at 7:45

GoogleCodeExporter commented 9 years ago

I am not quite sure what "allocator_may_return_null=1" does. The stack above is 
when set allocator_may_return_null=0. In this scenario, would the crash make 
sense?

Original comment by bo...@foxitsoftware.com on 3 Oct 2014 at 7:51

GoogleCodeExporter commented 9 years ago

allocator_may_return_null=1 means that ASAN will not fail on large (huge) 
malloc & let the malloc do what it needs, even if that means returning NULL.
Documentation on As an is very sparse... So that's mostly what I guessed & 
partially read.

Fails gracefully on x64 even without this option.

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 9:31

GoogleCodeExporter commented 9 years ago

From previous comments, issue might be deemed non critical. Nevertheless, we 
might want to succeed or fail earlier.

kdu_expand -i ../../data/issue363/4723.jp2 -o 0.bmp

Consumed 4 tile-part(s) from a total of 17 tile(s).
Consumed 4,076,863,684 codestream bytes (excluding any file format) =
540393.502866 bits/pel.
Processed using the multi-threaded environment, with
    2 parallel threads of execution

Not the same output as Apple Preview (so that may just be noise on either side)

kdu_expand -i ../../data/issue363/4740.jp2 -o 0.bmp
Kakadu Core Error:
Invalid marker code found in code-stream!
    Expected SOT marker and got 0x0.

kdu_expand -i ../../data/issue363/4792.jp2 -o 0.bmp
Kakadu Core Error:
Invalid marker code found in code-stream!
    Expected SOT marker and got 0x0.

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 9:36

Attachments:

GoogleCodeExporter commented 9 years ago

MacOS x64 output :
./bin/opj_decompress -i ../../data/issue363/4792.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
...
[INFO] Header of tile 1 / 17 has been read.
[INFO] Tile 1/17 has been decoded.
[INFO] Image data has been updated with tile 1.
...
[INFO] Header of tile 6 / 17 has been read.
[INFO] Tile 6/17 has been decoded.
[INFO] Image data has been updated with tile 6.

[INFO] Stream reached its end !
[ERROR] Stream too short
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 9:38

GoogleCodeExporter commented 9 years ago

./bin/opj_decompress -i ../../data/issue363/4723.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Stream reached its end !
[ERROR] Stream too short
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 9:39

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

Patch fixing issues on images 4740 & 4792.
Issue remaining on image 4723.

./bin/opj_decompress -i ../../data/issue363/4740.jp2 -o 0.bmp
[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
...................
[INFO] Header of tile 16 / 17 has been read.
[INFO] Tile 16/17 has been decoded.
[INFO] Image data has been updated with tile 16.

[ERROR] Inconsistent marker size
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

./bin/opj_decompress -i ../../data/issue363/4792.jp2 -o 0.bmp
[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
..........
[INFO] Header of tile 6 / 17 has been read.
[INFO] Tile 6/17 has been decoded.
[INFO] Image data has been updated with tile 6.

[ERROR] Inconsistent marker size
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Original comment by m.darb...@gmail.com on 7 Oct 2014 at 6:44

Attachments:

issue363-4740.patch

GoogleCodeExporter commented 9 years ago

Full patch. Tested against test suite OK.

./bin/opj_decompress -i ../../data/issue363/4723.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Tile part length size inconsistent with stream length
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Kakadu decodes 4723. We should create another issue if needed but no more crash.

Original comment by m.darb...@gmail.com on 7 Oct 2014 at 7:43

Changed state: Verified

Attachments:

issue363.patch

GoogleCodeExporter commented 9 years ago

This issue was closed by revision r2899.

Original comment by antonin on 14 Oct 2014 at 3:15

Changed state: Fixed

iron261 / openjpeg

PDF crash in chrome - part1 #363