linmaogithub / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

Security: Use-of-uninitialized-value in CPDF_SyntaxParser::GetDirectNum() #122

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
VULNERABILITY DETAILS
Field "m_bIsNumber" belonging to class "CPDF_SyntaxParser" is potentially used 
uninitialized in the following call sequence:
1a. CPDF_Parser::GetIndirectBinary() is called and we step into the function on 
line 1270.
2a. Assume (m_V5Type[objnum] == 2) on line 1275, so we enter this if block.
3a. Assume (pObjStream != NULL) on line 1277, so we skip this if block.
4a. CPDF_SyntaxParser object named "syntax" is created on line 1282.
5a. Constructor of CPDF_SyntaxParser does not initialize "m_bIsNumber".
6a. InitParser(file, 0) is called on the "syntax" object on line 1286.
7a. "InitParser()" also does not initialize "m_bIsNumber".
8a. Assume n > 0 on line 1287, so we enter the while loop.
9a. Call to "syntax.GetDirectNum()" on line 1288.
10a. Step into "GetDirectNum()" on line 2519.
11a. Guard condition on line 2520 "if(!m_bIsNumber)" negates an uninitialized 
"m_bIsNumber"

Another call sequence leading to a similar result is the following:
1b. Call and step into CPDF_Parser::ParseIndirectObject() on line 1194.
2b. Assume "objnum < (FX_DWORD)m_CrossRef.GetSize()" on line 1194, so we skip 
this if block.
3b. Assume "m_V5Type[objnum] != 1 && m_V5Type[objnum] != 255" on line 1197, so 
we skip this if block.
4b. Assume "m_V5Type[objnum] == 2" on line 1204, so we enter this if block.
5b. Assume "(pObjStream != NULL)" on line 1206, so we skip this if block.
6b. Then, follow steps analogous to steps 4a-11a starting on line 1211.

VERSION
Pdfium Version: Warning flagged on commit `b7cb36a` ``Merge to XFA.."
Operating System: NA
Label: Cr-Internals-Plugins-PDF

FIX
Initialize m_bIsNumber in constructor.
e.g., m_bIsNumber = FALSE; or m_bIsNumber = TRUE on new line 54 patches the 
bugs in this report.

REPRODUCTION CASE
I don't have one. MSan would be a good judge! I actually found this bug by 
writing a custom clang analyzer checker for "use-of-uninitialized-value" kind 
of bugs and by running the checker against pdfium. I have more reports from 
Clang that I am yet to look into but would be happy to report it if there is 
anything interesting.

Original issue reported on code.google.com by bsh...@gmail.com on 17 Feb 2015 at 11:42

GoogleCodeExporter commented 9 years ago
RE: Looks like the label didn't get picked up.

JFYI: "Cr-Internals-Plugins-PDF"

Original comment by bsh...@gmail.com on 17 Feb 2015 at 11:44

GoogleCodeExporter commented 9 years ago
RE: Ignore this report. It's a false positive.

Sorry for the mess. I missed the call to GetNextWord() right before the warning!

Original comment by bsh...@gmail.com on 17 Feb 2015 at 3:48

GoogleCodeExporter commented 9 years ago
Please file security bugs on the Chromium bug tracker.

Original comment by thestig@chromium.org on 4 Sep 2015 at 10:58