New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

OOB read with corrupt PDF; possible stability issue too

Reported by scarybea...@gmail.com, Oct 26 2011

Issue description

Whilst looking at an unrelated crash from one of Robert's test cases, I noticed an OOB read under valgrind whilst loading a PDF.

PDF is attached (mouse over PDF to ensure the OOB read hits).

The symptom is a read deference of a pointer pulled at the -1 index of an array of pointers. Looking in the crash logs, it does appear that there is a crash signal with matching symptoms, particularly on Mac, e.g.:

https://crash/reportdetail?reportid=6b3983793fc6673d

Seems to trigger every few minutes.

 
rs4.pdf
18.2 KB Download
Labels: Stability-Valgrind
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-16 Merge-Approved
Status: FixUnreleased
Might as well merge it to M16 once it's had a whirl on a M17 dev channel.
Fixed by r1151 on PDF trunk.

Comment 4 by kcc@chromium.org, Oct 26 2011

so how about trying asan on pdf? 

Comment 5 by jsc...@chromium.org, Oct 27 2011

Labels: -Area-Undefined Area-Internals
Labels: -Merge-Approved Merge-Merged
Chrome 16 branch for PDF went at r1152 so this is included.

Comment 7 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Cc: emily.zh...@gmail.com
Project Member

Comment 9 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Feature-PDF -Stability-Valgrind -Mstone-16 Cr-Content-Plugins-PDF Security-Impact-Beta Security-Severity-Medium Cr-Internals Performance-Valgrind Security-Impact-Stable Type-Bug-Security M-16
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 12 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 17 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Valgrind Stability-Valgrind
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-Plugins-PDF Cr-Internals-Plugins-PDF
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 24 by sheriffbot@chromium.org, Jul 29

Labels: -Pri-0 Pri-1

Sign in to add a comment