New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 468167 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Apr 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in parse_font_matrix

Project Member Reported by ClusterFuzz, Mar 18 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4950464961970176

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  parse_font_matrix
  parse_dict
  T1_Face_Init
  

Minimized Testcase (57.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97tSzF7EEWHlet4mRoKzZRGy6OZf-5NjJzO9YOob4l9ODGy6y_4Inw_zBpre5BqEk1O4mMmqxvLATQ6-JtU2VdaQuyai5yEPmp_uuii1whDUGukjIWvcM8vGTDi_-ywsgRszqCXDutwaS1aUSiLQI1GVfhoOfcY92hejYuCQmfhnptu5F4

Filer: inferno
 
Cc: attek...@gmail.com
Labels: Cr-Internals-Plugins-PDF
Owner: jun_f...@foxitsoftware.com
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Mar 18 2015

Labels: Pri-1
Labels: M-43
Project Member

Comment 4 by ClusterFuzz, Apr 8 2015

Labels: Nag
jun_fang@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: thestig@chromium.org tsepez@chromium.org kai_j...@foxitsoftware.com
Project Member

Comment 7 by ClusterFuzz, Apr 22 2015

Labels: -Restrict-View-SecurityTeam M-42 Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Nag -M-42 -Merge-Triage Merge-Requested
Merge requested for M43 (branch 2357)
Cc: timwillis@chromium.org
Labels: -Merge-Requested Merge-Review-43 Hotlist-Merge-Review
[Automated comment] No bugdroid (commit) comments found, couldn't auto-approve, needs manual review.

Comment 11 by laforge@google.com, May 11 2015

Labels: -Merge-Review-43 Merge-Approved
I'll do the merge.
Project Member

Comment 13 by bugdroid1@chromium.org, May 11 2015

Labels: -Merge-Approved merge-merged-2357
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=73326

------------------------------------------------------------------
r73326 | thestig@google.com | 2015-05-11T21:12:16.916094Z

-----------------------------------------------------------------
Labels: Release-0-M43
Labels: -reward-topanel reward-unpaid reward-1000 CVE-2015-1259
$500 for this report + $500 for the clusterfuzz bonus. Congrats!
Labels: -reward-unpaid reward-inprocess
Processing rewards - should be paid in approximately 2 weeks.
Labels: -reward-inprocess
Processing via our e-payment system can take up to two weeks, but the reward should be on its way to you. Thanks again for your help!

(Note: sorry for the delay here - it turns out in the new payment system, these payments were waiting for a second approval from me).
Project Member

Comment 18 by ClusterFuzz, Jul 29 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment