Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Email to this user bounced
Closed: Oct 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
OOB read with corrupt PDF; possible stability issue too
Reported by scarybea...@gmail.com, Oct 26 2011 Back to list
Whilst looking at an unrelated crash from one of Robert's test cases, I noticed an OOB read under valgrind whilst loading a PDF.

PDF is attached (mouse over PDF to ensure the OOB read hits).

The symptom is a read deference of a pointer pulled at the -1 index of an array of pointers. Looking in the crash logs, it does appear that there is a crash signal with matching symptoms, particularly on Mac, e.g.:

https://crash/reportdetail?reportid=6b3983793fc6673d

Seems to trigger every few minutes.

 
rs4.pdf
18.2 KB Download
Labels: Stability-Valgrind
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Mstone-16 Merge-Approved
Status: FixUnreleased
Might as well merge it to M16 once it's had a whirl on a M17 dev channel.
Fixed by r1151 on PDF trunk.
Comment 4 by kcc@chromium.org, Oct 26 2011
so how about trying asan on pdf? 
Comment 5 by jsc...@chromium.org, Oct 27 2011
Labels: -Area-Undefined Area-Internals
Labels: -Merge-Approved Merge-Merged
Chrome 16 branch for PDF went at r1152 so this is included.
Comment 7 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Cc: emily.zh...@gmail.com
Project Member Comment 9 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 10 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -SecSeverity-Medium -SecImpacts-Stable -SecImpacts-Beta -Feature-PDF -Stability-Valgrind -Mstone-16 Cr-Content-Plugins-PDF Security-Impact-Beta Security-Severity-Medium Cr-Internals Performance-Valgrind Security-Impact-Stable Type-Bug-Security M-16
Project Member Comment 11 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 12 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 14 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 15 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 17 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Valgrind Stability-Valgrind
Project Member Comment 18 by bugdroid1@chromium.org, Apr 6 2013
Labels: Cr-Blink
Project Member Comment 19 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-Plugins-PDF Cr-Internals-Plugins-PDF
Project Member Comment 20 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment