omarss / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

Security: Use-of-uninitialized-value in CJBig2_SDDProc::decode_Huffman #129

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
VULNERABILITY DETAILS
Field "CJBig2_SDDProc::SDNUMEXSYMS" of class "CJBig2_SDDProc" is potentially 
used when uninitialized. The attached bug report from Clang SA points to the 
undefined access. Full stack trace is:

CJBig2_SDDProc::decode_Huffman(CJBig2_BitStream *, JBig2ArithCtx *, 
JBig2ArithCtx *, IFX_Pause*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decode_EmbedOrgnazation(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation(IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation_FirstPage(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)

VERSION
Pdfium Version: Warning flagged on commit `b7cb36a` ``Merge to XFA.."
Operating System: NA
Label: Cr-Internals-Plugins-PDF

FIX
Initialize SDNUMEXSYMS in constructor of CJBig2_SDDProc.

REPRODUCTION CASE
Found via static analysis. So, no dynamic stack trace available.

Original issue reported on code.google.com by bsh...@gmail.com on 3 Mar 2015 at 9:35

Attachments:

GoogleCodeExporter commented 9 years ago
Update: Figured that global stack in report was buggy. Here is the correct call 
stack leading to the bug. Concerned lib is libfxcodec.

CJBig2_SDDProc::decode_Huffman(CJBig2_BitStream*, JBig2ArithCtx*, 
JBig2ArithCtx*, IFX_Pause*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CCodec_Jbig2Module::ContinueDecode(void*, IFX_Pause*)

Original comment by bsh...@gmail.com on 6 Mar 2015 at 12:36

GoogleCodeExporter commented 9 years ago

Original comment by thestig@chromium.org on 8 May 2015 at 9:37

GoogleCodeExporter commented 9 years ago
Actually, should this and bug 130 be filed on the Chromium bug tracker instead? 
If so, I can just move them for you.

Original comment by thestig@chromium.org on 8 Aug 2015 at 1:17