New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
wip



Sign in to add a comment
Use-of-uninitialized-value in cmsXYZ2Lab
Project Member Reported by ClusterFuzz, Jun 23 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5026642885869568

Uploader: mjurczyk@google.com
Job Type: Linux_msan_pdfium

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  float
  cmsXYZ2Lab
  EvaluateXYZ2Lab
  

Minimized Testcase (8241.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94l2VSA16WdM9eJo2HrVveyzIoktFgadCzdeBxBhNCG0XecWFmLXzHzRLiZdIY2xZeRD_vs0Y_n5ozYwga8wEpDScoYA5PyAcelir6bosX6J0L_2bs2gLPZMYb5bzOkJLwTSmrZ8sXMBQPB6OCSf26Rg7_R81aFl9gHDJze85tvPd2zaDw
 
Cc: jun_f...@foxitsoftware.com
Labels: Security_Impact-Stable Security_Impact-Beta
Owner: bo...@foxitsoftware.com
Status: Assigned
Labels: Cr-Internals-Plugins-PDF
Labels: M-37
Project Member Comment 4 by ClusterFuzz, Jun 23 2014
Labels: Pri-1
Project Member Comment 5 by ClusterFuzz, Jul 1 2014
Summary: Use-of-uninitialized-value in cmsXYZ2Lab (was: Use-of-uninitialized-value in float)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5026642885869568

Uploader: mjurczyk@google.com
Job Type: Linux_msan_pdfium

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  cmsXYZ2Lab
  EvaluateXYZ2Lab
  _LUTeval16
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97CTFiMYF8IPVH0mkzRuTyeNYXyGenGnBYbMTzguooeGyFOllttIh0azqClJ1ScCAxaHsBrm9885ac7Tq0OjvxiQFdPbzkX4kYa4KMHj5Ik2P_6JFSwIIJH4qqYoKUmoPAoeCvkelAdpwMIdFALhn3cxYHNV5XFJy-LRlRnQuXn8Evt8HY


Project Member Comment 6 by ClusterFuzz, Jul 2 2014
Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: -Nag WIP
PDF security bugs are WIP. Stop the nags for now.
Owner: jun_f...@foxitsoftware.com
I'll handle this one.
Status: Fixed
Please remember to mark status=Fixed
Project Member Comment 11 by ClusterFuzz, Jul 14 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-36 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 12 by bugdroid1@chromium.org, Jul 16 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e9883a2cb97b9944c8ddf593f94326a8fdbed00

commit 1e9883a2cb97b9944c8ddf593f94326a8fdbed00
Author: thakis@chromium.org <thakis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Jul 16 21:06:45 2014

roll pdfium 532a6a7ece21ca4ea253a196bb5c61a1861d12a0:0ce77e3c04dd17d3086adfc8781a2155fb9ceb69

This brings in:
0ce77e3  Add a newline at the end of fpdfeditpage.cpp.
27e35a8  Remove uninitialized const global g_GbFontNameMap.
b44bac5  Error handling for invalid component number in CPDF_ICCBasedCS::v_Load
f86d7d6  Fix uninitialized coords in _DrawCoonPatchMeshes
1c8d196  Fix uninitialized nresults in GetRGB
feff0db  Fix uninitialized RGB in DrawShading
8434565  Fix uninitialized Storage in _LUTeval16
9114e83  Add support to extract viewer preference
8daab31  Fix an out-of-boundary issue for wide string
456cde9  Fix uninitialized Storage
fab8896  Fix uninitialized okeybuf
41e06e7  Fix uninitialized triangle
d5a0e7a  Zero out temporary arrays before use in PDF encryption.
b66432c  Fix a null object bug

BUG=82385, 386728 , 391470 , 387809 , 386730 , 387826 ,169120, 381521 , 387843 , 387011 , 387835 , 387834 , 387975 
NOTRY=true
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/393403003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@283502 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 13 by bugdroid1@chromium.org, Jul 16 2014
------------------------------------------------------------------
r283502 | thakis@chromium.org | 2014-07-16T21:06:45.909316Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=283502&r2=283501&pathrev=283502

roll pdfium 532a6a7ece21ca4ea253a196bb5c61a1861d12a0:0ce77e3c04dd17d3086adfc8781a2155fb9ceb69

This brings in:
0ce77e3  Add a newline at the end of fpdfeditpage.cpp.
27e35a8  Remove uninitialized const global g_GbFontNameMap.
b44bac5  Error handling for invalid component number in CPDF_ICCBasedCS::v_Load
f86d7d6  Fix uninitialized coords in _DrawCoonPatchMeshes
1c8d196  Fix uninitialized nresults in GetRGB
feff0db  Fix uninitialized RGB in DrawShading
8434565  Fix uninitialized Storage in _LUTeval16
9114e83  Add support to extract viewer preference
8daab31  Fix an out-of-boundary issue for wide string
456cde9  Fix uninitialized Storage
fab8896  Fix uninitialized okeybuf
41e06e7  Fix uninitialized triangle
d5a0e7a  Zero out temporary arrays before use in PDF encryption.
b66432c  Fix a null object bug

BUG=82385, 386728 , 391470 , 387809 , 386730 , 387826 ,169120, 381521 , 387843 , 387011 , 387835 , 387834 , 387975 
NOTRY=true
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/393403003
-----------------------------------------------------------------
Project Member Comment 14 by ClusterFuzz, Jul 17 2014
ClusterFuzz has detected this issue as fixed in range 283414:283645.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5026642885869568

Uploader: mjurczyk@google.com
Job Type: Linux_msan_pdfium

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  cmsXYZ2Lab
  EvaluateXYZ2Lab
  _LUTeval16
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=283414:283645

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97CTFiMYF8IPVH0mkzRuTyeNYXyGenGnBYbMTzguooeGyFOllttIh0azqClJ1ScCAxaHsBrm9885ac7Tq0OjvxiQFdPbzkX4kYa4KMHj5Ik2P_6JFSwIIJH4qqYoKUmoPAoeCvkelAdpwMIdFALhn3cxYHNV5XFJy-LRlRnQuXn8Evt8HY

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 15 by ClusterFuzz, Jul 17 2014
ClusterFuzz has detected this issue as fixed in range 283414:283645.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5026642885869568

Uploader: mjurczyk@google.com
Job Type: Linux_msan_pdfium

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  cmsXYZ2Lab
  EvaluateXYZ2Lab
  _LUTeval16
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_pdfium&range=283414:283645

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97CTFiMYF8IPVH0mkzRuTyeNYXyGenGnBYbMTzguooeGyFOllttIh0azqClJ1ScCAxaHsBrm9885ac7Tq0OjvxiQFdPbzkX4kYa4KMHj5Ik2P_6JFSwIIJH4qqYoKUmoPAoeCvkelAdpwMIdFALhn3cxYHNV5XFJy-LRlRnQuXn8Evt8HY

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Labels: -Merge-Triage Merge-NA Release-0-M38
All MSAN pdf bugs will not be merged back to M36, M37. We will just let them roll into M38 trunk.
Project Member Comment 17 by ClusterFuzz, Oct 20 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 18 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 19 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment