Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Dec 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
UNKNOWN in TcmapEncodingTable::GetSubtableAtIndex
Project Member Reported by clusterf...@chromium.org, Sep 22 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5029534366695424

Fuzzer: Attekett_surku_fuzzer
Job Type: Mac_asan_chrome

Crash Type: UNKNOWN
Crash Address: 0x24538dc1
Crash State:
  TcmapEncodingTable::GetSubtableAtIndex
  TcmapEncodingTable::FindPreferredMacCmap
  TcmapEncodingTable::TcmapEncodingTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=273280:273333

Minimized Testcase (153.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv941I92M0dEqZ7KReaM79jmGK5g6_c2Qe5a6Y0we8QLwhVt-sPZuxoqkpDG-_jVV8C2RI2IYyqQDbzitEK4hnmmZHMgQWD015KroLOyreqbCUA6fqZK2B5VnAAiaT8ty7maQEoZ-fiGen2W29y2KH6CZA8bLf8Ec9ZO7-YjPHh19HFhQwmo

Filer: inferno
 
Cc: attek...@gmail.com jun_f...@foxitsoftware.com
Owner: bo...@foxitsoftware.com
Status: Assigned
Project Member Comment 2 by clusterf...@chromium.org, Sep 22 2014
Labels: Pri-1 M-37
Project Member Comment 3 by clusterf...@chromium.org, Sep 29 2014
Labels: -M-37 M-38
Project Member Comment 4 by clusterf...@chromium.org, Sep 29 2014
Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 5 by clusterf...@chromium.org, Oct 7 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -M-38 M-39
Bumping to M39
Project Member Comment 7 by clusterf...@chromium.org, Oct 14 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 8 by clusterf...@chromium.org, Oct 22 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 9 by clusterf...@chromium.org, Oct 22 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6083843508404224

Fuzzer: Ifratric_pdf_generic
Job Type: Mac_asan_chrome

Crash Type: UNKNOWN
Crash Address: 0x2422737b
Crash State:
  TcmapEncodingTable::GetSubtableAtIndex
  TcmapEncodingTable::FindPreferredMacCmap
  TcmapEncodingTable::TcmapEncodingTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=271393:271739

Minimized Testcase (1597.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv961OLjLo_gPnHgokafvFjR25AYqJpc5HLyx2sWE-IwR5S_XtUUXJlKi06weuAc4CJqxEbMiQGs2L4lw-pDU3686P4sQDSca3h7hOlXrO5uerFM_kLwch3uiwTQQ-fmkMcAttnKx5B8LHpJ3a6YqUyNovgSKsRsSDzQz8xN6E0WxxItp7i0

Filer: inferno
Project Member Comment 10 by clusterf...@chromium.org, Oct 29 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 11 by clusterf...@chromium.org, Nov 5 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 12 by clusterf...@chromium.org, Nov 13 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 13 by clusterf...@chromium.org, Nov 20 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 14 by clusterf...@chromium.org, Nov 22 2014
Labels: Deadline-Exceeded
You have far exceeded the 60-day deadline for fixing this high severity security vulnerability.

We commit ourselves to this deadline and appreciate your utmost priority on this issue.

If you are unable to look into this soon, please find someone else to own this.

- Your friendly ClusterFuzz
Project Member Comment 15 by clusterf...@chromium.org, Dec 16 2014
ClusterFuzz has detected this issue as fixed in range 305030:305059.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5029534366695424

Fuzzer: Attekett_surku_fuzzer
Job Type: Mac_asan_chrome

Crash Type: UNKNOWN
Crash Address: 0x24538dc1
Crash State:
  TcmapEncodingTable::GetSubtableAtIndex
  TcmapEncodingTable::FindPreferredMacCmap
  TcmapEncodingTable::TcmapEncodingTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=273998:274265
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=305030:305059

Minimized Testcase (153.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hQMJJDCOciQMvb3QoIkI4SIxiTSR-i67nGHQnvYv-_m_ch9nGTYusPBIsm08oFJIxQQDcLBIBi7rEoEsbucAThWpPuIe6T0sit0NShfTwL7GUs-9D-JYGm6cH8Pulv-6tZxuIWSDzk8m4emDspZbVy26ljwlBcq23Rhti_3OXWqLSK0o

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Cc: thestig@chromium.org
@thestig, is there a fast way(Google internal tool) to bisect the PDFium/Chromium revision that fixes this issue?
Probably do a manual bisect if needed. The changelog for the "fixed" range is https://chromium.googlesource.com/chromium/src/+log/56c60209b09297951f2321d5b5818e1a97dca465..512e25f331e03b33c60d9e9ec6fcb9f42761985e?pretty=fuller and I don't see what would have fixed this.
Project Member Comment 18 by clusterf...@chromium.org, Dec 16 2014
ClusterFuzz has detected this issue as fixed in range 305030:305059.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6083843508404224

Fuzzer: Ifratric_pdf_generic
Job Type: Mac_asan_chrome

Crash Type: UNKNOWN
Crash Address: 0x2422737b
Crash State:
  TcmapEncodingTable::GetSubtableAtIndex
  TcmapEncodingTable::FindPreferredMacCmap
  TcmapEncodingTable::TcmapEncodingTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=281494:281514
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=305030:305059

Minimized Testcase (1597.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv961OLjLo_gPnHgokafvFjR25AYqJpc5HLyx2sWE-IwR5S_XtUUXJlKi06weuAc4CJqxEbMiQGs2L4lw-pDU3686P4sQDSca3h7hOlXrO5uerFM_kLwch3uiwTQQ-fmkMcAttnKx5B8LHpJ3a6YqUyNovgSKsRsSDzQz8xN6E0WxxItp7i0

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Status: Started
The fix is https://chromium.googlesource.com/chromium/src/+/602b4bf2748b43b9cb697b039a35131b9e0c913c

So it looks like the bug is due to the mac 32 bit build.
Cc: rsesek@chromium.org
+rsesek to help take a look. This is crashing in OS X code, right?
Yep, OS X crash
@rsesek, any thought on this? Shall we close the issue?
Project Member Comment 23 by clusterf...@chromium.org, Dec 20 2014
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6321027008167936
Cc: -rsesek@chromium.org bo...@foxitsoftware.com
Owner: rsesek@chromium.org
Status: Fixed
rsesek@ - is 64-bit mac stable enough to enable on M40 ?
Project Member Comment 25 by clusterf...@chromium.org, Dec 21 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-40 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Mac is now 64-bit only, so yes.

This crash looks like it's inside Apple's typesetting engine.
Labels: -M-39 -Nag -Merge-Triage Release-0-M40
Labels: -reward-topanel reward-unpaid CVE-2014-7938 reward-1000
$1000 for this report. Notes from reward panel: "Doesn't affect Mac 64-bit though $500 reward as report received before Mac 64-bit went to stable channel. +$500 ClusterFuzz bonus".
Comment 29 by e...@chromium.org, Jan 26 2015
Cc: dominik....@intel.com
Labels: -reward-unpaid reward-inprocess
Project Member Comment 31 by clusterf...@chromium.org, Mar 28 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system can take up to six weeks, but the reward should be on its way to you. Thanks again for your help!
Comment 33 by laforge@google.com, Jun 13 2015
Cc: drott@chromium.org
Comment 34 by laforge@google.com, Jun 13 2015
Attempting to remove dominik.rottsches@intel.com from cc.
Project Member Comment 35 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 36 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment