New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
User never visited
Closed: Aug 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Use-after-free in CPDFSDK_PageView::LoadFXAnnots
Project Member Reported by clusterf...@chromium.org, Jul 20 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6246114120433664

Fuzzer: Ifratric_pdf_generic
Job Type: Windows_syzyasan_chrome

Crash Type: Use-after-free READ 4
Crash Address: 0x0a91c38b
Crash State:
  - crash stack -
  CPDFSDK_PageView::LoadFXAnnots
  CPDFSDK_Document::GetPageView
  - free stack -
  CPDFSDK_Document::ReMovePageView
  FORM_OnBeforeClosePage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=276657:277335

Minimized Testcase (2023.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Ko2UykFk5BR1Dt-NvHE0HslYxsVNuABG26VkpiOaxlhbzqlJxXUq0EwVHz1ZgI-X4sKpTXDslfOg-6ajQ2vG5xsRto8sINjBFPmJ8H4SBZwJENZncMSpQqrjW3xSFXyQoI2O219vercF7tVb7QYLrs7XjZ_r274cIT2ZqOIHsIDZYFyY
Filer: inferno@chromium.org
 
Cc: jun_f...@foxitsoftware.com
Labels: Cr-Internals-Plugins-PDF
Owner: bo...@foxitsoftware.com
Status: Assigned
Found using SyzyASAN, build instructions at https://code.google.com/p/sawbuck/wiki/SyzyASanHowTo
Labels: Security_Impact-Stable Security_Impact-Beta
Project Member Comment 3 by clusterf...@chromium.org, Jul 20 2014
Labels: Pri-1 M-36
Project Member Comment 4 by clusterf...@chromium.org, Jul 28 2014
Labels: -Security_Impact-Beta
Project Member Comment 5 by clusterf...@chromium.org, Jul 29 2014
Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
 Issue 393604  has been merged into this issue.
Project Member Comment 7 by clusterf...@chromium.org, Aug 1 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4656618228678656

Fuzzer: Ifratric_pdf_generic
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e0000e1f40
Crash State:
  - crash stack -
  CPDFSDK_PageView::LoadFXAnnots
  CPDFSDK_Document::GetPageView
  - free stack -
  CPDFSDK_Document::ReMovePageView
  chrome_pdf::PDFiumPage::Unload
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=216985:216992

Minimized Testcase (2023.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HAorQdrW8U5EIDXCgKGUM-f-Rs5Wwt7zkNV09B35XIHFah2vbMSRgHsZOjvY9r24TQvnfpRGOyI5D1RjQvAknTtL84f-i7P4roFg1a7BxkgyHARDTwgejSMY9_FxZjFgice8vEAz5VUW5H-E4_9Q86N65QZNFqexWTkLu4W8yd4VZa9Q

Additional requirements: Requires Gestures

Filer: inferno
Project Member Comment 8 by clusterf...@chromium.org, Aug 4 2014
ClusterFuzz has detected this issue as fixed in range 287261:287266.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4656618228678656

Fuzzer: Ifratric_pdf_generic
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e0000e1f40
Crash State:
  - crash stack -
  CPDFSDK_PageView::LoadFXAnnots
  CPDFSDK_Document::GetPageView
  - free stack -
  CPDFSDK_Document::ReMovePageView
  chrome_pdf::PDFiumPage::Unload
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=216985:216992
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=287261:287266

Minimized Testcase (2023.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HAorQdrW8U5EIDXCgKGUM-f-Rs5Wwt7zkNV09B35XIHFah2vbMSRgHsZOjvY9r24TQvnfpRGOyI5D1RjQvAknTtL84f-i7P4roFg1a7BxkgyHARDTwgejSMY9_FxZjFgice8vEAz5VUW5H-E4_9Q86N65QZNFqexWTkLu4W8yd4VZa9Q

Additional requirements: Requires Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Status: Fixed
Labels: -M-36 Release-0-M38
Project Member Comment 11 by clusterf...@chromium.org, Aug 9 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 12 by clusterf...@chromium.org, Nov 10 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 13 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment