New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Nov 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-buffer-overflow in CPDF_DIBSource::DownSampleScanline32Bit
Project Member Reported by ClusterFuzz, Nov 10 2015 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5349857148010496

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x61800000f7b2
Crash State:
  CPDF_DIBSource::DownSampleScanline32Bit
  CPDF_DIBSource::DownSampleScanline
  CFX_ImageStretcher::ContinueQuickStretch
  

Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kjY2nNWevY4g1HSs9xuj-KKD_u0JImEYeMtBszRAj1bCZVsG73kZtdMLxVWc3HRmTkEBbwNllw88LUyOz-PdWhpm_1YKMH1clqPPSF6xFlz1XvjL0E1gWgH_xtmHTay6Wh8Rsq67aiAzsw5o0LKPJ9huAPg

Filer: mjurczyk

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Comment 1 by mjurczyk@google.com, Nov 10 2015
The issue is tracked at https://code.google.com/p/google-security-research/issues/detail?id=625 on the Project Zero side.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 2 by mjurczyk@google.com, Nov 10 2015
Also submitted another testcase at https://cluster-fuzz.appspot.com/testcase?key=5165098258137088, which crashes at a nearby location, and probably has the same root cause.
Labels: M-47
Owner: cevans@chromium.org
Project Member Comment 4 by ClusterFuzz, Nov 10 2015
Labels: Pri-1
Status: Assigned
Project Member Comment 5 by ClusterFuzz, Nov 10 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5349857148010496

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x61800000f7b2
Crash State:
  CPDF_DIBSource::DownSampleScanline32Bit
  CPDF_DIBSource::DownSampleScanline
  CFX_ImageStretcher::ContinueQuickStretch
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=350971:350997

Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kjY2nNWevY4g1HSs9xuj-KKD_u0JImEYeMtBszRAj1bCZVsG73kZtdMLxVWc3HRmTkEBbwNllw88LUyOz-PdWhpm_1YKMH1clqPPSF6xFlz1XvjL0E1gWgH_xtmHTay6Wh8Rsq67aiAzsw5o0LKPJ9huAPg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member Comment 6 by ClusterFuzz, Nov 10 2015
Owner: och...@chromium.org
uh, cevans@ isn't here anymore. I'll take this one.
Comment 7 by och...@chromium.org, Nov 11 2015
CPDF_DIBSource::DownSampleScanline32Bit looks very wrong when bits per component is not aligned to 8.... there are 2 issues here (from the 2 testcases):

- |pSrcPixel| always starts at a byte boundary, which is wrong when component bits are extracted using that as a starting point

- if (!m_bDefaultDecode), colour components are accessed byte by byte regardless of |m_bpc|


Status: Fixed
Project Member Comment 10 by ClusterFuzz, Nov 12 2015
Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 M-46 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Labels: Merge-Request-47
Comment 13 by tin...@google.com, Nov 13 2015
Labels: -Merge-Request-47 Merge-Review-47 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Labels: -Merge-Review-47 -Hotlist-Merge-Review Merge-Approved-47 Hotlist-Merge-Approved
Approved for M47 (branch 2526)
Project Member Comment 15 by bugdroid1@chromium.org, Nov 14 2015
Labels: -Merge-Approved-47 merge-merged-2526
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=80624

------------------------------------------------------------------
r80624 | ochang@google.com | 2015-11-14T00:29:17.698857Z

-----------------------------------------------------------------
Project Member Comment 16 by ClusterFuzz, Nov 14 2015
ClusterFuzz has detected this issue as fixed in range 359427:359653.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5349857148010496

Uploader: mjurczyk@google.com
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x61800000f7b2
Crash State:
  CPDF_DIBSource::DownSampleScanline32Bit
  CPDF_DIBSource::DownSampleScanline
  CFX_ImageStretcher::ContinueQuickStretch
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=350971:350997
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=359427:359653

Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kjY2nNWevY4g1HSs9xuj-KKD_u0JImEYeMtBszRAj1bCZVsG73kZtdMLxVWc3HRmTkEBbwNllw88LUyOz-PdWhpm_1YKMH1clqPPSF6xFlz1XvjL0E1gWgH_xtmHTay6Wh8Rsq67aiAzsw5o0LKPJ9huAPg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Cc: timwillis@chromium.org
Labels: -Merge-Triage -M-48 -M-46 Release-0-M47
 Issue 560703  has been merged into this issue.
Project Member Comment 19 by ClusterFuzz, Mar 2 2016
Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment