Undefined-shift in CXFA_FMCallExpression::ToJavaScript |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6033905710268416 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96GKM7pseNhKNfnM8wciZH61wDJqzL88AIejp_h8wiit5K2zIzZrr_P6Y7DruUgRganbbYExXa6NsoJpebFDE4-oSpvRcQvVIG-oZIQMDAlnOIfVDCkurpHaJPfcpQde-flsNhkm4fVQ_PpDhVYRjs6jnFFgA Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 15 2016
,
Apr 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5928837388435456 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMAdditiveExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (1.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94xN3iKUvIHekPJklvalUQg6trdpLev7O-Ey27zVeiIZuWKm8iDKlgCxdisTF4kS7dl3v0eGraUiFMSeTs8J40RG_GjbPFeJlpx68-Kvpa6rXmYEBYOV7CgGv0E2l2Fq1ihK26W1DUhAfYPVwbIyGtUNkxErg Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6033905710268416 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DyF3CxTWnJQsrA63_0YslIoXSshf450gjcKJ6Le_oQKLP_sBOcfZEV0FDU2-eB4HzQgAVbKGaxwaZc2v9fqK8wdHU80l1L9m__EBtdT_JrobIpnFIBXVU721C22n0HDAcyf4QzeO55ymwGEg_jwuIRSsFAQ?testcase_id=6033905710268416 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5928837388435456 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMAdditiveExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=386932:386961 Minimized Testcase (0.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv962_0s4lWrPgNG1NZyFANsWBTy0XyIevR_o5BXp9ecZbsow2DGPKTRW5D9A1Uj5zkxPx4PczAiKMTPhiOrYw0-x7kmwBcVIV-2a4BunjrdwXqzoBxtxR8h32YUwA8eYST7ImLeBBo07hIYwKUuZgTEgKSL3bA?testcase_id=5928837388435456 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4762888686534656 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9747upoJyR9qcFzTuKlwUsoHxQI4zLYtu3tsHVe6Un9Rk_VBY7i0LkS44MvNk-KP_QNL07qbWZxH16pCPVlAYwbpEIldKnWsRXxUO6Gs_ZP6b9wOW5WshRGoiFjp4WjxnP4HRZHawkrpXhAhEMb24054JGVHQ?testcase_id=4762888686534656 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6124728519753728 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97VEJGmguEevHfhAYr1poRzOP58Yn-oe-4C2BVsze6xQpAXtPxbDtx6z42NxJj_39skv2JcB5wZ4xervwDq5N2kue_hvMFIh1B4a6fZR8f87JDtiiu8f9E9ogdzHVrbYU_Xu1NO2rTMLZapdrOqpzJde5VCrw?testcase_id=6124728519753728 Filer: rnimmagadda See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Gentle Ping. @tsepez: Could you please provide some update on this issue. Thank you.
,
Aug 2 2016
,
Aug 3 2016
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium.git/+/e85f971fe9ba628e46bcb0709d5da4368c15d0b0 commit e85f971fe9ba628e46bcb0709d5da4368c15d0b0 Author: dsinclair <dsinclair@chromium.org> Date: Wed Aug 03 17:08:13 2016 Fix FMCallExpression undefined shift behaviour. When determining which params should be an object and which are a value it is possible to overflow the int on the shift comparision (if there are more then 32 arguments). This never happens in practise as it's a controlled list of method calls which we pass objects for. Cap the check at 32 for the shifting so it doesn't overflow. We can revisit and extend the value later if we ever have an internal formcalc method that needs an object in a position greater then 32. BUG= chromium:603490 Review-Url: https://codereview.chromium.org/2206253002 [modify] https://crrev.com/e85f971fe9ba628e46bcb0709d5da4368c15d0b0/BUILD.gn [modify] https://crrev.com/e85f971fe9ba628e46bcb0709d5da4368c15d0b0/pdfium.gyp [modify] https://crrev.com/e85f971fe9ba628e46bcb0709d5da4368c15d0b0/xfa/fxfa/fm2js/xfa_simpleexpression.cpp [add] https://crrev.com/e85f971fe9ba628e46bcb0709d5da4368c15d0b0/xfa/fxfa/fm2js/xfa_simpleexpression_unittest.cpp
,
Aug 3 2016
This should be fixed on the next roll of PDFium.
,
Aug 3 2016
,
Aug 4 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aa065d9fed77b8cbdfe327b573e2f683c1ad6d6b commit aa065d9fed77b8cbdfe327b573e2f683c1ad6d6b Author: thestig <thestig@chromium.org> Date: Thu Aug 04 13:52:19 2016 Roll PDFium ea3ff9e..a72ab5e https://pdfium.googlesource.com/pdfium.git/+log/ea3ff9e..a72ab5e BUG= 62625 , 603490 ,633002, 633381 TBR=ochang@chromium.org Review-Url: https://codereview.chromium.org/2216503002 Cr-Commit-Position: refs/heads/master@{#409771} [modify] https://crrev.com/aa065d9fed77b8cbdfe327b573e2f683c1ad6d6b/DEPS
,
Aug 5 2016
ClusterFuzz has detected this issue as fixed in range 409727:409801. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6124728519753728 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=409727:409801 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97VEJGmguEevHfhAYr1poRzOP58Yn-oe-4C2BVsze6xQpAXtPxbDtx6z42NxJj_39skv2JcB5wZ4xervwDq5N2kue_hvMFIh1B4a6fZR8f87JDtiiu8f9E9ogdzHVrbYU_Xu1NO2rTMLZapdrOqpzJde5VCrw?testcase_id=6124728519753728 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 5 2016
ClusterFuzz has detected this issue as fixed in range 409727:409801. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4762888686534656 Fuzzer: libfuzzer_pdf_fm2js_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: CXFA_FMCallExpression::ToJavaScript CXFA_FMMethodCallExpression::ToJavaScript CXFA_FMLogicalOrExpression::ToJavaScript Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=409727:409801 Minimized Testcase (0.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9747upoJyR9qcFzTuKlwUsoHxQI4zLYtu3tsHVe6Un9Rk_VBY7i0LkS44MvNk-KP_QNL07qbWZxH16pCPVlAYwbpEIldKnWsRXxUO6Gs_ZP6b9wOW5WshRGoiFjp4WjxnP4HRZHawkrpXhAhEMb24054JGVHQ?testcase_id=4762888686534656 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmoroz@chromium.org
, Apr 14 2016Components: Internals>Plugins>PDF