Integer-overflow in CPDF_SyntaxParser::GetNextChar |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5559691593121792 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SyntaxParser::GetNextChar CPDF_SyntaxParser::GetNextWordInternal GetNextWord Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96cTGEepHGlZZ7rmSe0ASinm7Ze5iMsSYtIJzkJBxrLl3Z65O9cSiIj_73Gjp5-CVmwUV_V8_7iKEPcuAe13f6e9MrhBGl-Lmx-Kn8_bUxvdVUu2Qhk8gw8mt0iuKD0chm2XjHH6PzU-2ZDAI8n9yrVq10c9w (oore%PDFrerkdakdc �%�( <<startxre/C 0C >0of>bj <</�/>[>>startxref 000000000000032895186217325595420% / Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 15 2016
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5559691593121792 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SyntaxParser::GetNextChar CPDF_SyntaxParser::GetNextWordInternal GetNextWord Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97y2DdMZh-zdNw_NMRV9VZ5pzQq4X75Efzp7gvuU9WGkJDUb8wPqKhDcXGFtXOKlUplNDGxr3aD6gajPdO-iF6RPlMEiyic1TtGY5sj4Av9m45lRk0a2hzM-C7uMnyfeQvj2lNJUnvqUW0VsoQKsvAm-FEABQ?testcase_id=5559691593121792 (oore%PDFrerkdakdc <</�/>[>>startxref 000000000000032895186217325595420% / See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5694779149254656 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SyntaxParser::GetNextChar CPDF_SyntaxParser::GetNextWordInternal GetNextWord Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95IAx5oGWi_ezPJHjdzQQuGOXHYBPgc0TGiiMF0pHntyDR5V9gmr9HB2A_Hu9lD_UCve1h4QSXw6ijZYZurJzaRH8n3qQRHpis-7rIfqKtpceFRvQhMWYsAtDWS5m0n32Unp4bxHyfsv8d6H64VXdW-HyuD3g?testcase_id=5694779149254656 %/MITPDF %PDF L4 /L/4 450%PDF�)startxref 011188180104501881810. P0$% D Filer: ajha See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 3 2017
,
May 3 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/746babded81e9de3fc132fd670386382c031fa74 commit 746babded81e9de3fc132fd670386382c031fa74 Author: Nicolas Pena <npm@chromium.org> Date: Wed May 03 16:49:52 2017 SetPos to at most the file length to avoid overflows This CL prevents arbitrary position setting which may cause integer overflows. In the bug in question, the PDF says the xrefs are located in a huge position. This then causes problems when calling CPDF_SyntaxParser methods. Bug: chromium:603545 Change-Id: I5f94c38f46a0217e9f12f1bf8b2f3bee3b03cb35 Reviewed-on: https://pdfium-review.googlesource.com/4813 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> [modify] https://crrev.com/746babded81e9de3fc132fd670386382c031fa74/core/fpdfapi/parser/cpdf_syntax_parser.h [modify] https://crrev.com/746babded81e9de3fc132fd670386382c031fa74/core/fpdfapi/parser/cpdf_parser.cpp [modify] https://crrev.com/746babded81e9de3fc132fd670386382c031fa74/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp [modify] https://crrev.com/746babded81e9de3fc132fd670386382c031fa74/core/fpdfapi/parser/cpdf_data_avail.cpp
,
May 4 2017
ClusterFuzz has detected this issue as fixed in range 469038:469104. Detailed report: https://clusterfuzz.com/testcase?key=5694779149254656 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: CPDF_SyntaxParser::GetNextChar CPDF_SyntaxParser::GetNextWordInternal CPDF_SyntaxParser::GetKeyword Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=395640:395746 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=469038:469104 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5694779149254656 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 4 2017
ClusterFuzz testcase 5694779149254656 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmoroz@chromium.org
, Apr 14 2016Components: Internals>Plugins>PDF