About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Chrome: heap-buffer-overflow in chrome_pdf::PDFiumEngine::RequestThumbnail- 812

Sergei Glazunov - Google Project Zero (P0)Posted 3 Years Ago
  • Chrome PDF Engine has a function called RequestThumbNail. When an embedded PDF is added to a page, the thumbnail of the PDF can be accessed via a postMessage. Specifically, a call like embed.postMessage({type: "getThumbnail", page: 2});
  • When requesting a thumbnail there is no validation on the page number when attempting to get the thumbnail. There is a call to DCHECK, but this is only is test builds and NOT production builds.
  • The object that is accessed out of bounds contains a function pointer that is immediately invoked. Hence, a properly placed object could easily lead to code execution.
  • Another situation where an error check is done via code but not in the production version!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed