zhujingguang / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

CXFA_DefFontMgr::GetFont() doesn't work in sandboxed renderer. #91

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Chromium 41.0.2227.0 / Linux.

The attached file will cause a NULL deref crash (assert in debug mode) when run 
in chromium using XFA.  The issue will not reproduce when run using the 
--no-sandbox flag.

A bit of tracing shows the following calls from the renderer:

#0  open64 () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f3f6f94688d in CFXCRT_FileAccess_Posix::Open (this=0x2cee90340cf0, 
fileName=..., dwMode=1)
    at ../../third_party/pdfium/core/src/fxcrt/fxcrt_posix.cpp:43
#2  0x00007f3f6f946927 in CFXCRT_FileAccess_Posix::Open (this=0x2cee90340cf0, 
fileName=..., dwMode=1)
    at ../../third_party/pdfium/core/src/fxcrt/fxcrt_posix.cpp:48
#3  0x00007f3f6f93f1c1 in FX_CreateFileStream (
    filename=0x2cee9037aab0 L"/usr/local/share/fonts/chromeos/notofonts-20121206/NotoSansTamil-Regular.ttf", dwModes=1)
    at ../../third_party/pdfium/core/src/fxcrt/fx_extension.cpp:113
#4  0x00007f3f6f94227a in CFX_CRTFileAccess::CreateFileStream 
(this=0x2cee8f8512a0, dwModes=1)
    at ../../third_party/pdfium/core/src/fxcrt/extension.h:60
#5  0x00007f3f702353e2 in CFX_FontMgrImp::EnumFonts (this=0x2cee8fe80700)
    at ../../third_party/pdfium/xfa/src/fgas/src/font/fx_stdfontmgr.cpp:594
#6  0x00007f3f702352ad in IFX_FontMgr::Create (pFontEnum=0x2cee8fd310a0, 
pDelegate=0x0, pUserData=0x0)
    at ../../third_party/pdfium/xfa/src/fgas/src/font/fx_stdfontmgr.cpp:567
#7  0x00007f3f7014262f in CXFA_FFApp::GetFDEFontMgr (this=0x2cee8ffb5020)
    at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_ffapp.cpp:258
#8  0x00007f3f70169b3e in CXFA_DefFontMgr::GetFont (this=0x2cee902bcda0, 
hDoc=0x2cee8fec1b60, wsFontFamily=..., dwFontStyles=0, 
    wCodePage=65535) at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_fontmgr.cpp:1029
#9  0x00007f3f7016b4c3 in CXFA_FontMgr::GetFont (this=0x2cee8f8e31d0, 
hDoc=0x2cee8fec1b60, wsFontFamily=..., dwFontStyles=0, 
    wCodePage=65535) at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_fontmgr.cpp:1324
#10 0x00007f3f7016fedc in CXFA_TextParser::GetFont (this=0x2cee9052c3c8, 
pTextProvider=0x2cee90345c20, pStyle=0x0)
    at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_textlayout.cpp:381
#11 0x00007f3f70171aaa in CXFA_TextLayout::CreateBreak (this=0x2cee9052c380, 
bDefault=1)
    at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_textlayout.cpp:744
#12 0x00007f3f7017368d in CXFA_TextLayout::Layout (this=0x2cee9052c380, 
iBlock=0)
    at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_textlayout.cpp:1088
#13 0x00007f3f7017540f in CXFA_TextLayout::DrawString (this=0x2cee9052c380, 
pFxDevice=0x2cee8f9939a0, tmDoc2Device=..., 
    rtClip=..., iBlock=0) at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_textlayout.cpp:1219
#14 0x00007f3f7015148e in CXFA_FFText::RenderWidget (this=0x2cee8f7e0430, 
pGS=0x7fff7f185bb8, pMatrix=0x2cee8ffad5e8, 
    dwStatus=134217728, iRotate=0) at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_fftext.cpp:61
#15 0x00007f3f7016e15e in CXFA_RenderContext::DoRender (this=0x2cee8ffad5c0, 
pPause=0x0)
    at ../../third_party/pdfium/xfa/src/fxfa/src/app/xfa_rendercontext.cpp:58
#16 0x00007f3f6f65c926 in CPDFSDK_PageView::PageView_OnDraw 
(this=0x2cee8ff89ac0, pDevice=0x2cee8f9939a0, 
    pUser2Device=0x7fff7f185d00, pOptions=0x7fff7f185cc0, pClip=0x7fff7f185cf0)
    at ../../third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:690
#17 0x00007f3f6f63677c in FPDF_FFLDraw (hHandle=0x2cee8fcaf7a0, 
bitmap=0x2cee8f9337a0, page=0x2cee9034bce0, start_x=5, start_y=3, 
    size_x=816, size_y=1056, rotate=0, flags=258) at ../../third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:333
#18 0x00007f3f6f563fa0 in chrome_pdf::PDFiumEngine::FinishPaint 
(this=0x2cee9049b020, progressive_index=0, image_data=
    0x2cee8f8419e8) at ../../pdf/pdfium/pdfium_engine.cc:2784
#19 0x00007f3f6f563853 in chrome_pdf::PDFiumEngine::Paint (this=0x2cee9049b020, 
rect=..., image_data=0x2cee8f8419e8, 
    ready=0x7fff7f186148, pending=0x7fff7f186108) at ../../pdf/pdfium/pdfium_engine.cc:1068

This will fail when sandboxed, and I believe it will eventually lead to the 
crash.  The assert hit while sandboxed under debug is:

...
#6 0x7f45d8a26b22 __assert_fail
#7 0x7f45d14cbed2 CXFA_DefFontMgr::GetDefaultFont()
#8 0x7f45d14cd5da CXFA_FontMgr::GetFont()
#9 0x7f45d14d1edc CXFA_TextParser::GetFont()
#10 0x7f45d14d3aaa CXFA_TextLayout::CreateBreak()
#11 0x7f45d14d568d CXFA_TextLayout::Layout()
#12 0x7f45d14d740f CXFA_TextLayout::DrawString()
#13 0x7f45d14b348e CXFA_FFText::RenderWidget()
#14 0x7f45d14d015e CXFA_RenderContext::DoRender()
#15 0x7f45d09be926 CPDFSDK_PageView::PageView_OnDraw()
#16 0x7f45d099877c FPDF_FFLDraw
#17 0x7f45d08c5fa0 chrome_pdf::PDFiumEngine::FinishPaint()
#18 0x7f45d08c5853 chrome_pdf::PDFiumEngine::Paint()

We need to come up with a way to get this information that doesn't require 
opening files.

Original issue reported on code.google.com by tsepez@chromium.org on 9 Dec 2014 at 10:29

Attachments:

GoogleCodeExporter commented 9 years ago
John, do you know who might have context on how we solved these kinds of issues 
for the original non-xfa case? 

Original comment by tsepez@chromium.org on 9 Dec 2014 at 10:33

GoogleCodeExporter commented 9 years ago
Looks like this is for loading fonts; Foxit had created an interface for us to 
load fonts inside the sandbox. See g_font_info in pdfium_engine.cc. Seems like 
the XFA code should use that as well.

Original comment by jam@chromium.org on 9 Dec 2014 at 11:12

GoogleCodeExporter commented 9 years ago

Original comment by jun_f...@foxitsoftware.com on 5 Apr 2015 at 4:03