Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PDF crash in chrome - part1 #363

Closed
gcode-importer opened this issue Jun 28, 2014 · 12 comments
Closed

PDF crash in chrome - part1 #363

gcode-importer opened this issue Jun 28, 2014 · 12 comments

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 363

Attached is test files and fixes for PDF file crash in chrome. They are found and fixed
in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external


Reported by [email protected] on 2014-06-28 01:01:49


- _Attachment: [issue3-fuzz-asan_heap-oob_6bae99_3155_5245.zip](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-0/issue3-fuzz-asan_heap-oob_6bae99_3155_5245.zip)_
@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-19 09:41:11

  • Status changed: Accepted

@gcode-importer
Copy link
Author

@bo_xu,

r2894
No crash with ASAN_OPTIONS=allocator_may_return_null=1 on MacOS X i386

Reported by mayeut on 2014-10-03 18:57:32

@gcode-importer
Copy link
Author

I tested on Ubuntu 12.04 with Asan and can see the crash.

Reported by [email protected] on 2014-10-03 19:44:29

@gcode-importer
Copy link
Author

WARNING: No imsbtree created.
==4471==WARNING: AddressSanitizer failed to allocate 0xfffffffe bytes
==4471==AddressSanitizer's allocator is terminating the process instead of returning
0
==4471==If you don't like this behavior set allocator_may_return_null=1
==4471==AddressSanitizer CHECK failed: /work/chromium/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149
"((0)) != (0)" (0x0, 0x0)
    #0 0x80df67d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) ??:0:0
    #1 0x80e38ff in __sanitizer::CheckFailed(char const*, int, char const*, unsigned
long long, unsigned long long) ??:0:0
    #2 0x80e22aa in __sanitizer::AllocatorReturnNull() ??:0:0
    #3 0x80683a8 in __asan::asan_realloc(void*, unsigned long, __sanitizer::StackTrace*)
??:0:0
    #4 0x80d67b7 in realloc ??:0:0
    #5 0x84a51f2 in opj_j2k_read_tile_header /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7617:74
    #6 0x84bb8ed in opj_j2k_decode_tiles /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9277:23
    #7 0x84acddd in opj_j2k_exec /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7187:41
    #8 0x84acddd in opj_j2k_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9496:0
    #9 0x8370406 in opj_jp2_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1300:8
    #10 0x836c6e1 in opj_decode /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/openjpeg.c:412:10
    #11 0x8364519 in CJPX_Decoder::Init(unsigned char const*, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:626:15
    #12 0x8365938 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned
int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:767:10
    #13 0x82cac0d in CPDF_DIBSource::LoadJpxBitmap() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:643:21
    #14 0x82c614e in CPDF_DIBSource::CreateDecoder() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:599:9
    #15 0x82c1f94 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream
const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335:15
    #16 0x82b0245 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*,
int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:310:15
    #17 0x82afe3c in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int,
unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #18 0x82d3499 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject
const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int)
/home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1489:15
    #19 0x82d43aa in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*,
void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1549:19
    #20 0x82b5c2b in CPDF_ImageRenderer::StartLoadDIBSource() /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:371:9
    #21 0x82b1a32 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject
const*, CFX_Matrix const*, int, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:525:9
    #22 0x82a2fc6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*,
CFX_Matrix const*, IFX_Pause*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:350:14
    #23 0x82acb9e in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1175:21
    #24 0x82ab79a in CPDF_ProgressiveRenderer::Start(CPDF_RenderContext*, CFX_RenderDevice*,
CPDF_RenderOptions const*, IFX_Pause*, int) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1114:5
    #25 0x80f6952 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int,
int, int, int, int, IFSDK_PAUSE_Adapter*) /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:789:2
    #26 0x80f6cf1 in FPDF_RenderPageBitmap /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:586:2
    #27 0x80f336b in RenderPdf(char const*, char const*, unsigned int, OutputFormat)
/home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:324:5
    #28 0x80f3e0d in main /home/foxit/chrome_asan/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:406:7
    #29 0xf72984d2 in __libc_start_main ??:0:0
    #30 0x80f2484 in _start ??:0:0

Reported by [email protected] on 2014-10-03 19:45:01

@gcode-importer
Copy link
Author

I am not quite sure what "allocator_may_return_null=1" does. The stack above is when
set allocator_may_return_null=0. In this scenario, would the crash make sense?

Reported by [email protected] on 2014-10-03 19:51:09

@gcode-importer
Copy link
Author

allocator_may_return_null=1 means that ASAN will not fail on large (huge) malloc & let
the malloc do what it needs, even if that means returning NULL.
Documentation on As an is very sparse... So that's mostly what I guessed & partially
read.

Fails gracefully on x64 even without this option.

Reported by mayeut on 2014-10-03 21:31:27

@gcode-importer
Copy link
Author

From previous comments, issue might be deemed non critical. Nevertheless, we might want
to succeed or fail earlier.

kdu_expand -i ../../data/issue363/4723.jp2 -o 0.bmp

Consumed 4 tile-part(s) from a total of 17 tile(s).
Consumed 4,076,863,684 codestream bytes (excluding any file format) =
540393.502866 bits/pel.
Processed using the multi-threaded environment, with
    2 parallel threads of execution

Not the same output as Apple Preview (so that may just be noise on either side)

kdu_expand -i ../../data/issue363/4740.jp2 -o 0.bmp
Kakadu Core Error:
Invalid marker code found in code-stream!
    Expected SOT marker and got 0x0.

kdu_expand -i ../../data/issue363/4792.jp2 -o 0.bmp
Kakadu Core Error:
Invalid marker code found in code-stream!
    Expected SOT marker and got 0x0.

Reported by mayeut on 2014-10-03 21:36:08


- _Attachment: [4723.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-7/4723.jp2)_ - _Attachment: [4740.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-7/4740.jp2)_ - _Attachment: [4792.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-7/4792.jp2)_

@gcode-importer
Copy link
Author

MacOS x64 output :
./bin/opj_decompress -i ../../data/issue363/4792.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
...
[INFO] Header of tile 1 / 17 has been read.
[INFO] Tile 1/17 has been decoded.
[INFO] Image data has been updated with tile 1.
...
[INFO] Header of tile 6 / 17 has been read.
[INFO] Tile 6/17 has been decoded.
[INFO] Image data has been updated with tile 6.

[INFO] Stream reached its end !
[ERROR] Stream too short
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-10-03 21:38:29

@gcode-importer
Copy link
Author

./bin/opj_decompress -i ../../data/issue363/4723.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Stream reached its end !
[ERROR] Stream too short
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-10-03 21:39:12

@gcode-importer
Copy link
Author

Patch fixing issues on images 4740 & 4792.
Issue remaining on image 4723.

./bin/opj_decompress -i ../../data/issue363/4740.jp2 -o 0.bmp
[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
...................
[INFO] Header of tile 16 / 17 has been read.
[INFO] Tile 16/17 has been decoded.
[INFO] Image data has been updated with tile 16.

[ERROR] Inconsistent marker size
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!


./bin/opj_decompress -i ../../data/issue363/4792.jp2 -o 0.bmp
[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
..........
[INFO] Header of tile 6 / 17 has been read.
[INFO] Tile 6/17 has been decoded.
[INFO] Image data has been updated with tile 6.

[ERROR] Inconsistent marker size
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-10-07 18:44:21


- _Attachment: [issue363-4740.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-12/issue363-4740.patch)_

@gcode-importer
Copy link
Author

Full patch. Tested against test suite OK.

./bin/opj_decompress -i ../../data/issue363/4723.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Tile part length size inconsistent with stream length
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Kakadu decodes 4723. We should create another issue if needed but no more crash.

Reported by mayeut on 2014-10-07 19:43:18

  • Status changed: Verified

- _Attachment: [issue363.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-363/comment-13/issue363.patch)_

@gcode-importer
Copy link
Author

This issue was closed by revision r2899.

Reported by detonin on 2014-10-14 15:15:18

  • Status changed: Fixed

boxerab pushed a commit to GrokImageCompression/grok-test-data that referenced this issue Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants