pdfium IsFlagSet (v8 memory management) - SIGSEGV

EDB-ID:

39164

CVE:

N/A

EDB Verified:
Author:

Google Security Research

Type:

dos

Exploit: /
Platform:

Multiple

Date:

2016-01-04

Vulnerable App:
Source: https://code.google.com/p/google-security-research/issues/detail?id=622

The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:

--- cut ---
==31710==ERROR: AddressSanitizer: SEGV on unknown address 0x7f53cc100009 (pc 0x0000016fafe2 bp 0x7ffee170d730 sp 0x7ffee170d6b0 T0)
    #0 0x16fafe1 in IsFlagSet v8/src/heap/spaces.h:548:13
    #1 0x16fafe1 in IsEvacuationCandidate v8/src/heap/spaces.h:689
    #2 0x16fafe1 in RecordSlot v8/src/heap/mark-compact-inl.h:62
    #3 0x16fafe1 in VisitPointers v8/src/heap/incremental-marking.cc:320
    #4 0x16fafe1 in v8::internal::StaticMarkingVisitor<v8::internal::IncrementalMarkingMarkingVisitor>::VisitPropertyCell(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:341
    #5 0x16ed00a in IterateBody v8/src/heap/objects-visiting.h:355:5
    #6 0x16ed00a in VisitObject v8/src/heap/incremental-marking.cc:732
    #7 0x16ed00a in ProcessMarkingDeque v8/src/heap/incremental-marking.cc:769
    #8 0x16ed00a in v8::internal::IncrementalMarking::Step(long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceMarkingAction, v8::internal::IncrementalMarking::ForceCompletionAction) v8/src/heap/incremental-marking.cc:1098
    #9 0x1836243 in InlineAllocationStep v8/src/heap/spaces.h:2537:7
    #10 0x1836243 in InlineAllocationStep v8/src/heap/spaces.cc:1636
    #11 0x1836243 in v8::internal::NewSpace::EnsureAllocation(int, v8::internal::AllocationAlignment) v8/src/heap/spaces.cc:1597
    #12 0x16028a2 in AllocateRawUnaligned v8/src/heap/spaces-inl.h:456:10
    #13 0x16028a2 in AllocateRaw v8/src/heap/spaces-inl.h:480
    #14 0x16028a2 in v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) v8/src/heap/heap-inl.h:215
    #15 0x16960d7 in v8::internal::Heap::AllocateFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/heap/heap.cc:2119:35
    #16 0x159a4a2 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/factory.cc:79:3
    #17 0x25834ee in __RT_impl_Runtime_AllocateInTargetSpace v8/src/runtime/runtime-internal.cc:246:11
    #18 0x25834ee in v8::internal::Runtime_AllocateInTargetSpace(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:236
    #7 0x7f53d03063d7  (<unknown module>)
    #8 0x7f53d040f273  (<unknown module>)
    #9 0x7f53d040ad4d  (<unknown module>)
    #10 0x7f53d0336da3  (<unknown module>)
    #11 0x7f53d031a8e1  (<unknown module>)
    #19 0x158a09f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:98:13
    #20 0x158882d in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:167:10
    #21 0xf6e33e in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1743:23
    #22 0xebf5cb in FXJS_Execute(v8::Isolate*, IJS_Context*, wchar_t const*, FXJSErr*) third_party/pdfium/fpdfsdk/src/jsapi/fxjs_v8.cpp:384:8
    #23 0xe3cc12 in CJS_Runtime::Execute(IJS_Context*, wchar_t const*, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Runtime.cpp:188:14
    #24 0xf54991 in CJS_Context::RunScript(CFX_WideString const&, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Context.cpp:59:12
    #25 0x553134 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:1822:24
    #26 0x552b8c in CPDFSDK_Widget::OnFormat(int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:330:10
    #27 0x584be9 in CPDFSDK_BFAnnotHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:593:31
    #28 0x57e44a in CPDFSDK_AnnotHandlerMgr::Annot_OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:94:5
    #29 0x574f67 in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:886:5
    #30 0x573c36 in CPDFSDK_Document::GetPageView(CPDF_Page*, int) third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:420:3
    #31 0x528ec3 in FormHandleToPageView third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:32:20
    #32 0x528ec3 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:263
    #33 0x4da9c2 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:346:3
    #34 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
    #35 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
    #36 0x7f553e1c4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (pdfium_test+0x16fafe1)
==31710==ABORTING
--- cut ---

The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554099. Attached is the PDF file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39164.zip
Tags:
Advisory/Source: Link
Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services