New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Jul 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in read_tag_lutmABType
Project Member Reported by ClusterFuzz, Jun 30 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6058326389424128

Fuzzer: Noel-image-flip
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  - crash stack -
  read_tag_lutmABType
  qcms_profile_from_memory
  WebCore::WEBPImageDecoder::createColorTransform
  

Minimized Testcase (3.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97YjqPvg53Hot5Qx8Y4vTY2tAcfktSEYWnCANZ28YF5M6xf-kaYb997f_dzdqDj01sQjtFK2fNmuT2SWwn9JyuLKwiZPw_gkIr6a0XW1-Cfs431tNunSAmpEvVjuJjnDDO9h4LGZfqy2pnkNzbPTrGQLh8pRA
Filer: inferno@chromium.org
 
Cc: mikelawther@chromium.org
Labels: -Cr-Blink Security_Impact-Stable Security_Impact-Beta
Owner: noel@chromium.org
Status: Assigned
Noel, can you please take a look.

http://www.chromium.org/developers/testing/memorysanitizer
Project Member Comment 2 by ClusterFuzz, Jun 30 2014
Labels: Pri-1
tag_len is not getting initialized. verified locally by setting it to INT_MAX

		uint32_t tag_len = INT_MAX;

		(*curveArray)[i] = read_curveType(src, curve_offset + channel_offset, &tag_len);
		if (!(*curveArray)[i]) {
			invalid_source(src, "invalid nested curveType curve");
		}

		assert(tag_len != INT_MAX);
		channel_offset += tag_len;
Comment 4 by noel@chromium.org, Jul 1 2014
Looking: read_curveType should fail for an invalid curve, weird.
Comment 5 by noel@chromium.org, Jul 1 2014
confirmed #3, proposed patch https://codereview.chromium.org/363593004 
Cc: decoder...@gmail.com
Christian, are you guys tracking MSAN bugs as security bugs ? If yes, can you please file a tracking mozilla bug for this Qcms issue.
6058326389424128.zip
3.0 KB Download
Comment 7 by noel@chromium.org, Jul 1 2014
test case for blink: https://codereview.chromium.org/363623002
Project Member Comment 8 by bugdroid1@chromium.org, Jul 1 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32bcfeb0bce0b29d801a62328822b92620a9d595

commit 32bcfeb0bce0b29d801a62328822b92620a9d595
Author: noel@chromium.org <noel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Tue Jul 01 06:42:40 2014

Check for unused tag_len in read_nested_curveType()

TBR=darin@chromium.org
NOTRY=true
BUG= 390069 

Review URL: https://codereview.chromium.org/363593004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@280751 0039d316-1c4b-4281-b951-d872f2087c98


Project Member Comment 9 by bugdroid1@chromium.org, Jul 1 2014
------------------------------------------------------------------
r280751 | noel@chromium.org | 2014-07-01T06:42:40.036412Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/qcms/google.patch?r1=280751&r2=280750&pathrev=280751
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/qcms/README.chromium?r1=280751&r2=280750&pathrev=280751
   M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/qcms/src/iccread.c?r1=280751&r2=280750&pathrev=280751

Check for unused tag_len in read_nested_curveType()

TBR=darin@chromium.org
NOTRY=true
BUG= 390069 

Review URL: https://codereview.chromium.org/363593004
-----------------------------------------------------------------
Status: Fixed
Project Member Comment 11 by ClusterFuzz, Jul 1 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-37 M-36 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Comment 13 by noel@chromium.org, Jul 2 2014
No merges being done for the next two weeks, I believe.
Project Member Comment 14 by bugdroid1@chromium.org, Jul 2 2014
The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=177355

------------------------------------------------------------------
r177355 | eae@chromium.org | 2014-07-02T07:00:25.419568Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/virtual/deferred/fast?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/TestExpectations?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/virtual/deferred/fast/images?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win-xp/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-retina/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux-x86/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win-xp/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-retina/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux-x86/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-lion/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-snowleopard/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-snowleopard/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-lion/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/virtual/deferred?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux-x86/fast/images?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-retina/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux-x86/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-retina/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win-xp/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux-x86/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-snowleopard/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win-xp/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/win/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-lion/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/linux/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-lion/virtual/deferred/fast/images/webp-flip-expected.txt?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-snowleopard/virtual/deferred/fast/images/webp-flip-expected.png?r1=177355&r2=177354&pathrev=177355
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/platform/mac-mountainlion/fast/images?r1=177355&r2=177354&pathrev=177355

Auto-rebaseline for r177348

http://src.chromium.org/viewvc/blink?view=revision&revision=177348

BUG= 390069 
TBR=noel@chromium.org

Review URL: https://codereview.chromium.org/362223002
-----------------------------------------------------------------
Comment 15 by noel@chromium.org, Jul 2 2014
Cc: e...@chromium.org
+eae@ /curious that the rebaselined png images above all have the same checksum in their header ... is the rebaseline results optimizer disabled or something?

Comment 16 by e...@chromium.org, Jul 2 2014
Hmm, that seems odd. I'll look into it. Thanks Noel!
Labels: -Merge-Triage Merge-NA
Letting MSAN bugs >= Security_Severity-Medium roll in off trunk. Marking as Merge-NA.
Labels: -M-36 Release-0-M38
Project Member Comment 19 by ClusterFuzz, Oct 7 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 20 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment