PDF crash in chrome - part2 (due to attachment limit)

[gcode-importer]

Originally reported on Google Code with ID 364

Attached is test files and fixes for PDF file crash in chrome. They are found and fixed
in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external

Reported by bo_xu@foxitsoftware.com on 2014-06-28 01:04:10

---

- _Attachment: [openjpeg security issues-part2.zip](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-0/openjpeg security issues-part2.zip)_

[gcode-importer]

Reported by detonin on 2014-09-19 09:41:11

• Status changed: Accepted

[gcode-importer]

@bo_xu,

r2894, no warning with Asan on MacOS X with issue2-fuzz-signal_sigsegv_6b88de_1123_2509.pdf
Could you check this one ?

Reported by mayeut on 2014-10-03 18:44:53

[gcode-importer]

r2894

903.jp2 extracted from issue4-fuzz-51.pdf

./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
==2760==ERROR: AddressSanitizer failed to allocate 0x80003000 (-2147471360) bytes of
LargeMmapAllocator (errno: 12)
==2760==Process memory map follows:
    0x9524f000-0x95274000   /usr/lib/libc++abi.dylib
    0xa090b000-0xa090c000   /usr/lib/libc++abi.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++abi.dylib
    0x9902b000-0x99050000   /usr/lib/system/libxpc.dylib
    0xa15b1000-0xa15b3000   /usr/lib/system/libxpc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libxpc.dylib
    0x97309000-0x97310000   /usr/lib/system/libunwind.dylib
    0xa0b03000-0xa0b04000   /usr/lib/system/libunwind.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunwind.dylib
    0x967b8000-0x967ba000   /usr/lib/system/libunc.dylib
    0xa0a69000-0xa0a6a000   /usr/lib/system/libunc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunc.dylib
    0x910e6000-0x910e8000   /usr/lib/system/libsystem_sandbox.dylib
    0xa03b2000-0xa03b3000   /usr/lib/system/libsystem_sandbox.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_sandbox.dylib
    0x9bb6e000-0x9bb76000   /usr/lib/system/libsystem_pthread.dylib
    0xa187c000-0xa187e000   /usr/lib/system/libsystem_pthread.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_pthread.dylib
    0x944d5000-0x944db000   /usr/lib/system/libsystem_platform.dylib
    0xa082f000-0xa0830000   /usr/lib/system/libsystem_platform.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_platform.dylib
    0x904c8000-0x904d2000   /usr/lib/system/libsystem_notify.dylib
    0xa026e000-0xa026f000   /usr/lib/system/libsystem_notify.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_notify.dylib
    0x930c7000-0x930f3000   /usr/lib/system/libsystem_network.dylib
    0xa06e6000-0xa06e8000   /usr/lib/system/libsystem_network.dylib
    0xa06e8000-0xa06e9000   /usr/lib/system/libsystem_network.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_network.dylib
    0x93178000-0x93191000   /usr/lib/system/libsystem_malloc.dylib
    0xa06fb000-0xa06fc000   /usr/lib/system/libsystem_malloc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_malloc.dylib
    0x982f8000-0x9832a000   /usr/lib/system/libsystem_m.dylib
    0xa14a3000-0xa14a4000   /usr/lib/system/libsystem_m.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_m.dylib
    0x9ba7e000-0x9ba9c000   /usr/lib/system/libsystem_kernel.dylib
    0xa186d000-0xa186f000   /usr/lib/system/libsystem_kernel.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_kernel.dylib
    0x9bcf4000-0x9bd1d000   /usr/lib/system/libsystem_info.dylib
    0xa18a0000-0xa18a2000   /usr/lib/system/libsystem_info.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_info.dylib
    0x9a444000-0x9a44d000   /usr/lib/system/libsystem_dnssd.dylib
    0xa1686000-0xa1687000   /usr/lib/system/libsystem_dnssd.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_dnssd.dylib
    0x998d5000-0x998d8000   /usr/lib/system/libsystem_configuration.dylib
    0xa160d000-0xa160e000   /usr/lib/system/libsystem_configuration.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_configuration.dylib
    0x90587000-0x9061a000   /usr/lib/system/libsystem_c.dylib
    0xa0274000-0xa027b000   /usr/lib/system/libsystem_c.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_c.dylib
    0x95154000-0x95156000   /usr/lib/system/libsystem_blocks.dylib
    0xa08f9000-0xa08fa000   /usr/lib/system/libsystem_blocks.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_blocks.dylib
    0x930a9000-0x930bc000   /usr/lib/system/libsystem_asl.dylib
    0xa06e3000-0xa06e4000   /usr/lib/system/libsystem_asl.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_asl.dylib
    0x95432000-0x95434000   /usr/lib/system/libremovefile.dylib
    0xa093c000-0xa093d000   /usr/lib/system/libremovefile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libremovefile.dylib
    0x9ba9c000-0x9ba9f000   /usr/lib/system/libquarantine.dylib
    0xa186f000-0xa1870000   /usr/lib/system/libquarantine.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libquarantine.dylib
    0x97681000-0x97686000   /usr/lib/system/libmacho.dylib
    0xa1374000-0xa1375000   /usr/lib/system/libmacho.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libmacho.dylib
    0x98f2c000-0x98f35000   /usr/lib/system/liblaunch.dylib
    0xa1596000-0xa1597000   /usr/lib/system/liblaunch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/liblaunch.dylib
    0x96d85000-0x96d86000   /usr/lib/system/libkeymgr.dylib
    0xa0ad7000-0xa0ad8000   /usr/lib/system/libkeymgr.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libkeymgr.dylib
    0x9aaee000-0x9aaf2000   /usr/lib/system/libdyld.dylib
    0xa173f000-0xa1740000   /usr/lib/system/libdyld.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdyld.dylib
    0x930f5000-0x9310e000   /usr/lib/system/libdispatch.dylib
    0xa06ea000-0xa06ee000   /usr/lib/system/libdispatch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdispatch.dylib
    0x97688000-0x976d9000   /usr/lib/system/libcorecrypto.dylib
    0xa1376000-0xa1379000   /usr/lib/system/libcorecrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcorecrypto.dylib
    0x9b4de000-0x9b4e7000   /usr/lib/system/libcopyfile.dylib
    0xa1814000-0xa1815000   /usr/lib/system/libcopyfile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcopyfile.dylib
    0x9c0c3000-0x9c0c9000   /usr/lib/system/libcompiler_rt.dylib
    0xa18ce000-0xa18d0000   /usr/lib/system/libcompiler_rt.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcompiler_rt.dylib
    0x90008000-0x90014000   /usr/lib/system/libcommonCrypto.dylib
    0xa0252000-0xa0253000   /usr/lib/system/libcommonCrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcommonCrypto.dylib
    0x9c1ad000-0x9c1b2000   /usr/lib/system/libcache.dylib
    0xa18e2000-0xa18e3000   /usr/lib/system/libcache.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcache.dylib
    0x9a905000-0x9a95b000   /usr/lib/libc++.1.dylib
    0xa170e000-0xa1714000   /usr/lib/libc++.1.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++.1.dylib
    0x930f3000-0x930f5000   /usr/lib/libSystem.B.dylib
    0xa06e9000-0xa06ea000   /usr/lib/libSystem.B.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libSystem.B.dylib
    0x0073a000-0x007c4000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x007c4000-0x007cb000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x007cb000-0x007e5000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x0024d000-0x002aa000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x002aa000-0x00703000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x00703000-0x00737000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x00012000-0x00013000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x00013000-0x001df000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x001df000-0x001fa000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x001fa000-0x0024c000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
==2760==End of process memory map.
==2760==AddressSanitizer CHECK failed: /private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:121
"(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x287227 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a227)
    #1 0x28b6a3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3e6a3)

Reported by mayeut on 2014-10-03 18:50:45

---

- _Attachment: [903.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-3/903.jp2)_

[gcode-importer]

I tested "fuzz-signal_sigsegv_6b88de_1123_2509.pdf" and "fuzz-51.pdf" and can not reproduce
the crash. They should have been fixed. Thanks.

Reported by bo_xu@foxitsoftware.com on 2014-10-03 19:42:49

[gcode-importer]

kdu_expand  -i ../../data/issue364/903.jp2 -o 0.bmp
Error in Kakadu File Format Support:
JPX source contains no image header box for a codestream.  The image header
(ihdr) box cannot be found in a codestream header (chdr) box, and does not
exist within a default JP2 header (jp2h) box.

Reported by mayeut on 2014-10-03 20:15:04

[gcode-importer]

On MacOS X x64 :
./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
==25543==WARNING: AddressSanitizer failed to allocate 0x0017ffa001c8 bytes
==25543==AddressSanitizer's allocator is terminating the process instead of returning
0
==25543==If you don't like this behavior set allocator_may_return_null=1
==25543==AddressSanitizer CHECK failed: /private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149
"((0)) != (0)" (0x0, 0x0)
    #0 0x10db4d5b3 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x345b3)
    #1 0x10db50c41 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x37c41)

with allocation failed allowed, tried to allocate large amounts of memory, swap, ...
several minutes until system was responsive enough to interrupt the process.

We should fix ASAP

Reported by mayeut on 2014-10-03 20:24:30

[gcode-importer]

MacOS x64

38.jp2 from issue2-fuzz-signal_sigsegv_6b88de_1123_2509.pdf

./bin/opj_decompress -i ../../data/issue364/38.jp2 -o 0.bmp

ASAN:SIGSEGV
=================================================================
==25804==ERROR: AddressSanitizer: SEGV on unknown address 0x619100000fe6 (pc 0x00010a593fc1
bp 0x7fff5656c2b0 sp 0x7fff5656c2b0 T0)
    #0 0x10a593fc0 in opj_read_bytes_LE /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/cio.c:87:3
    #1 0x10a5cfc76 in opj_jp2_read_boxhdr_char /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2237:2
    #2 0x10a5c7ee5 in opj_jp2_read_jp2h /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2184:9
    #3 0x10a5cedab in opj_jp2_read_header_procedure /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1874:10
    #4 0x10a5cd32a in opj_jp2_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1925:26
    #5 0x10a5cdd84 in opj_jp2_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2306:8
    #6 0x109694c50 in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x100004c50)
    #7 0x7fff826b05fc in start (/usr/lib/system/libdyld.dylib+0x35fc)
    #8 0x4 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/cio.c:87
opj_read_bytes_LE
==25804==ABORTING

Reported by mayeut on 2014-10-03 20:28:28

[gcode-importer]

Patch inspired from the one provided by bo_xu for 38.jp2

./bin/opj_decompress -i ../../data/issue364/38.jp2 -o 0.bmp

[ERROR] Box length is inconsistent.
[ERROR] Stream error while reading JP2 Header box
ERROR -> opj_decompress: failed to read the header

Reported by mayeut on 2014-10-03 20:38:22

---

- _Attachment: [38.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-8/38.jp2)_ - _Attachment: [issue364-38.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-8/issue364-38.patch)_

[gcode-importer]

Patch issue364-38.patch  tested against Test Suite & OK

Reported by mayeut on 2014-10-05 15:40:11

[gcode-importer]

Reported by mayeut on 2014-10-06 11:46:22

• Status changed: Verified

[gcode-importer]

Changed status from Verified to Started (only one out of 2 issues solved)

Reported by mayeut on 2014-10-06 11:47:21

• Status changed: Started

[gcode-importer]

This issue was updated by revision r2897.


issue364-38.patch applied. Thanks Matthieu.

Reported by detonin on 2014-10-06 21:05:37

[gcode-importer]

Patch for image 903. Tested against test suite & OK.

jp2 header does not contain an ihdr box which is required by the standard.

./bin/opj_decompress -i ../../data/issue364/903.jp2 -o 0.bmp

[ERROR] Stream error while reading JP2 Header box: no 'ihdr' box.
ERROR -> opj_decompress: failed to read the header

Reported by mayeut on 2014-10-08 21:01:14

• Status changed: Verified

---

- _Attachment: [issue364-903.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-364/comment-13/issue364-903.patch)_

[gcode-importer]

Reported by mayeut on 2014-10-08 21:01:48

[gcode-importer]

This issue was closed by revision r2905.

Reported by detonin on 2014-10-21 12:35:27

• Status changed: Fixed