Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
User never visited
Closed: Nov 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-buffer-overflow in opj_jp2_apply_pclr
Reported by fuzzterc...@gmail.com, Nov 5 2014 Back to list
VULNERABILITY DETAILS
Loading the attached testcase.pdf in pdfium_test causes a crash in libopenjpeg.

VERSION
Chrome Version: Tested in the ASAN prebuild "asan-symbolized-linux-release-302783"
Operating System: Linux debian 3.16-3-amd64 #1 SMP Debian 3.16.5-1 (2014-10-10) x86_64 GNU/Linux 

REPRODUCTION CASE
The attached testcase.pdf reproduces the issue.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: See the attached symbolised ASAN output in asan_sym.log
 
asan_sym.log
7.3 KB View Download
testcase.pdf
34.9 KB Download
Project Member Comment 1 by clusterf...@chromium.org, Nov 5 2014
ClusterFuzz is analyzing your testcase. Chromium developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5649734646628352
Project Member Comment 2 by clusterf...@chromium.org, Nov 5 2014
Summary: Heap-buffer-overflow in opj_jp2_apply_pclr (was: Security: PDFium: heap-buffer-overflow in opj_jp2_apply_pclr)
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5649734646628352

Uploader: aarya@google.com
Job Type: Linux_asan_pdfium

Crash Type: Heap-buffer-overflow READ 4
Crash Address: 0x60900001c66c
Crash State:
  opj_jp2_apply_pclr
  opj_jp2_decode
  CJPX_Decoder::Init
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=299683:299856

Minimized Testcase (34.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94vyQVOli2mmCBW6hNACeawFWwRtPFYwpY3qFP44iI826RJRYr7st9MOWlqcwN7fm2b0B0ZZPAKzo131Q6NvAnFZXMUN2xTgFCOpLlWPuEI9JMqCDXfODVInloJUOSjZ3P4Z51HqpGyph7nhDZa1sDq1UYmgWGT7f5LrYG1GqBEF4wkKXo


Cc: jun_f...@foxitsoftware.com
Labels: Cr-Internals-Plugins-PDF Security_Severity-Medium reward-topanel
Owner: bo...@foxitsoftware.com
Status: Assigned
Project Member Comment 4 by clusterf...@chromium.org, Nov 5 2014
Labels: Pri-1 Stability-Memory-AddressSanitizer Security_Impact-Head
Labels: M-40
Project Member Comment 6 by clusterf...@chromium.org, Nov 11 2014
Labels: -Security_Impact-Head Security_Impact-Beta
Project Member Comment 7 by clusterf...@chromium.org, Nov 13 2014
Labels: Nag
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: anto...@gmail.com m.darb...@gmail.com
Hi Antonin, please take a look at this one. Thanks.
Project Member Comment 9 by clusterf...@chromium.org, Nov 21 2014
bo_xu@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 11 by clusterf...@chromium.org, Nov 24 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Merge-Triage Merge-Requested
Labels: -Merge-Requested Merge-Review Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.
Change looks pretty big, is this absolutely required?  Also, has this made it to canary/dev yet?
There's 3 bugs depending on the same merge and the other 2 have approvals. :)
This has been on canary for 2-3 weeks now.
Project Member Comment 16 by bugdroid1@chromium.org, Dec 16 2014
Labels: merge-merged-2214
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=65928

------------------------------------------------------------------
r65928 | thestig@google.com | 2014-12-16T06:55:04.676426Z

-----------------------------------------------------------------
Project Member Comment 17 by clusterf...@chromium.org, Dec 16 2014
Labels: -Security_Impact-Beta -Merge-Review -Hotlist-Merge-Review Security_Impact-Stable Release-0-M40
Labels: -reward-topanel -Nag reward-unpaid reward-500 CVE-2014-7947
$500 for this report... and it would have been another $500 if you used clusterfuzz, fuzztercluck! :)
Project Member Comment 20 by clusterf...@chromium.org, Mar 2 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Project Member Comment 22 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment