Chrome: heap-buffer-overflow in chrome_pdf::PDFiumEngine::RequestThumbnail

We discussed this vulnerability as part of our weekly podcast on 23 March 2022

Out of bounds read in Chrome’s PDFium Engine in the RequestThumbnail() method. The page_index parameter is used to index into a vector of pages to call that page’s RequestThumbnail() callback, however the page_index isn’t validated in production builds. There is a DCHECK(PageIndexInBounds(page_index)) call, but this is a debug check which is not compiled in production. This leads to what’s likely an easy code execution route, as this page pointer in the vector directly invokes a callback. By accessing the vector out of bounds and accessing an attacker-controlled pointer as a page, code execution should be trivial via hijacking the callback.