New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
wip



Sign in to add a comment
Use-of-uninitialized-value in CPDF_DeviceCS::GetRGB
Project Member Reported by ClusterFuzz, Jun 19 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6433711484567552

Fuzzer: Ifratric_pdf_generic
Job Type: Linux_msan_pdfium

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  CPDF_DeviceCS::GetRGB
  CPDF_ICCBasedCS::GetRGB
  CPDF_Color::GetRGB
  

Minimized Testcase (3156.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv975SE91yoB5k1rDeEl7tij_fOIHGEs2x_yREimAO1zVrr1xG0X1fWfDBExR2XMXxTEgRHJpOD-H3RZk01y8lAqapR93JlNueVA0DF8vA8lJBQ58N3Gj9ja2aPj9pxSoGMBnPYMBEWIvedpJGjxv6WTmq21nf9OPe7KxhoVSuTTDfD3Cm9I
 
Cc: jun_f...@foxitsoftware.com
Labels: Security_Impact-Stable Security_Impact-Beta
Owner: bo...@foxitsoftware.com
Status: Assigned
Cc: earthdok@chromium.org
Project Member Comment 3 by ClusterFuzz, Jun 20 2014
Labels: Pri-1
Cc: ifratric@google.com
Labels: M-37
Owner: jun_f...@foxitsoftware.com
I'll handle this one.
Status: Started
This issue will be fixed after Foxit memory "allocator" is replaced.
Labels: WIP
PDF security bugs are WIP. Stop the nags for now.
Cc: -jun_f...@foxitsoftware.com palmer@chromium.org
Status: Fixed
It has been fixed in https://pdfium.googlesource.com/pdfium/+/b44bac5.
Project Member Comment 10 by bugdroid1@chromium.org, Jul 16 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e9883a2cb97b9944c8ddf593f94326a8fdbed00

commit 1e9883a2cb97b9944c8ddf593f94326a8fdbed00
Author: thakis@chromium.org <thakis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Jul 16 21:06:45 2014

roll pdfium 532a6a7ece21ca4ea253a196bb5c61a1861d12a0:0ce77e3c04dd17d3086adfc8781a2155fb9ceb69

This brings in:
0ce77e3  Add a newline at the end of fpdfeditpage.cpp.
27e35a8  Remove uninitialized const global g_GbFontNameMap.
b44bac5  Error handling for invalid component number in CPDF_ICCBasedCS::v_Load
f86d7d6  Fix uninitialized coords in _DrawCoonPatchMeshes
1c8d196  Fix uninitialized nresults in GetRGB
feff0db  Fix uninitialized RGB in DrawShading
8434565  Fix uninitialized Storage in _LUTeval16
9114e83  Add support to extract viewer preference
8daab31  Fix an out-of-boundary issue for wide string
456cde9  Fix uninitialized Storage
fab8896  Fix uninitialized okeybuf
41e06e7  Fix uninitialized triangle
d5a0e7a  Zero out temporary arrays before use in PDF encryption.
b66432c  Fix a null object bug

BUG=82385, 386728 , 391470 , 387809 , 386730 , 387826 ,169120, 381521 , 387843 , 387011 , 387835 , 387834 , 387975 
NOTRY=true
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/393403003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@283502 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 11 by bugdroid1@chromium.org, Jul 16 2014
------------------------------------------------------------------
r283502 | thakis@chromium.org | 2014-07-16T21:06:45.909316Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=283502&r2=283501&pathrev=283502

roll pdfium 532a6a7ece21ca4ea253a196bb5c61a1861d12a0:0ce77e3c04dd17d3086adfc8781a2155fb9ceb69

This brings in:
0ce77e3  Add a newline at the end of fpdfeditpage.cpp.
27e35a8  Remove uninitialized const global g_GbFontNameMap.
b44bac5  Error handling for invalid component number in CPDF_ICCBasedCS::v_Load
f86d7d6  Fix uninitialized coords in _DrawCoonPatchMeshes
1c8d196  Fix uninitialized nresults in GetRGB
feff0db  Fix uninitialized RGB in DrawShading
8434565  Fix uninitialized Storage in _LUTeval16
9114e83  Add support to extract viewer preference
8daab31  Fix an out-of-boundary issue for wide string
456cde9  Fix uninitialized Storage
fab8896  Fix uninitialized okeybuf
41e06e7  Fix uninitialized triangle
d5a0e7a  Zero out temporary arrays before use in PDF encryption.
b66432c  Fix a null object bug

BUG=82385, 386728 , 391470 , 387809 , 386730 , 387826 ,169120, 381521 , 387843 , 387011 , 387835 , 387834 , 387975 
NOTRY=true
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/393403003
-----------------------------------------------------------------
Project Member Comment 12 by ClusterFuzz, Jul 20 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-36 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Merge-NA Release-0-M38
All MSAN pdf bugs will not be merged back to M36, M37. We will just let them roll into M38 trunk.
Project Member Comment 14 by ClusterFuzz, Oct 22 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 15 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 16 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 17 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment