New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 425151 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
User never visited
Closed: Oct 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in opj_tcd_init_decode_tile

Project Member Reported by ClusterFuzz, Oct 20 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5840833487044608

Uploader: mjurczyk@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x60900000b910
Crash State:
  opj_tcd_init_decode_tile
  opj_j2k_read_tile_header
  opj_j2k_decode_tiles
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94RUplrJD3B5owiCHQ3mx_srkG6qxGxjfIiBO6QctDx8FlY49SX-U2jGZqvU2Z18QioMIjGoWJQ4shdtWryqAx5OuPoGD8vO7rmYI4PHcvoVlraWJLFUTzkNyl5_Jo0O5I216R0uipvAb_xe41XEBgeB2tUk5F9pSpyRmTcs3Lj9N-iuyE


Filer: mjurczyk
 
Cc: jun_f...@foxitsoftware.com
Labels: Cr-Internals-Plugins-PDF
Owner: bo...@foxitsoftware.com
Status: Assigned
Project Member

Comment 3 by ClusterFuzz, Oct 20 2014

Labels: Pri-1
Cc: mathieu....@gmail.com m.darb...@gmail.com anto...@gmail.com
@m.darbois, can you take a look at this one? Thanks.
Project Member

Comment 5 by ClusterFuzz, Oct 21 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5840833487044608

Uploader: mjurczyk@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x60900000b910
Crash State:
  opj_tcd_init_decode_tile
  opj_j2k_read_tile_header
  opj_j2k_decode_tiles
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94RUplrJD3B5owiCHQ3mx_srkG6qxGxjfIiBO6QctDx8FlY49SX-U2jGZqvU2Z18QioMIjGoWJQ4shdtWryqAx5OuPoGD8vO7rmYI4PHcvoVlraWJLFUTzkNyl5_Jo0O5I216R0uipvAb_xe41XEBgeB2tUk5F9pSpyRmTcs3Lj9N-iuyE



Comment 6 by m.darb...@gmail.com, Oct 22 2014

@bo_xu,

Can you attach the pdf please ?
Test file attached.
signal_sigsegv_f65057_219_1144.pdf
8.5 MB Download
Project Member

Comment 8 by ClusterFuzz, Oct 24 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5840833487044608

Uploader: mjurczyk@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x60900000b910
Crash State:
  opj_tcd_init_decode_tile
  opj_j2k_read_tile_header
  opj_j2k_decode_tiles
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94RUplrJD3B5owiCHQ3mx_srkG6qxGxjfIiBO6QctDx8FlY49SX-U2jGZqvU2Z18QioMIjGoWJQ4shdtWryqAx5OuPoGD8vO7rmYI4PHcvoVlraWJLFUTzkNyl5_Jo0O5I216R0uipvAb_xe41XEBgeB2tUk5F9pSpyRmTcs3Lj9N-iuyE



Project Member

Comment 9 by ClusterFuzz, Oct 26 2014

Labels: Missing_Impact-2
Project Member

Comment 10 by ClusterFuzz, Oct 27 2014

Labels: -Missing_Impact-2 Missing_Impact-3
Project Member

Comment 11 by ClusterFuzz, Oct 29 2014

Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 12 by ClusterFuzz, Oct 29 2014

Labels: -Missing_Impact-3 Missing_Impact-4
Project Member

Comment 14 by ClusterFuzz, Oct 30 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Nag -Missing_Impact-4 -Merge-Triage M-39 Security_Impact-Stable Merge-Requested
Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171.  please merge this before nov 3 if possible, email me if you have any issues.
Labels: Merge-Merged
Cc: amineer@chromium.org
Dev/Bug owner, please merge to M-39 branch 2171 asap. We need all these security fixes to go into the first stable.
Labels: -Merge-Approved Release-0-M39
I just merged to M40. Do we want to merge to M39 still?
Labels: -M-39 -Release-0-M39 Release-0-M40
nope we wont have more m39 patches, will just release in M40.
Project Member

Comment 22 by ClusterFuzz, Feb 6 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment