Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 609042 Heap-buffer-overflow in Read
Starred by 0 users Project Member Reported by clusterf...@chromium.org, May 4 2016 Back to list
Status: Fixed
Owner:
Closed: May 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocking:
issue 609152



Sign in to add a comment
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6689341115465728

Fuzzer: libfuzzer_convert_woff2ttf_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x62e000022836
Crash State:
  Read
  ReconstructGlyf
  ReconstructFont
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=390845:390847

Minimized Testcase (62.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dSZqg-HWpBDcoaMTB6mRlchOzC1uhVb0rna2PzcdgP4PAczjvBF3UtYZ3GOQ_ufcQssSUs0HYDaIkvDiWkyq6hhtiNwBFQRrASkiRLBmhZb5I4LalaVDEQemXC8JMOoznz9Ptk_bwy_z4PAfXVefXAIC2Z8mY1op6KHh5IvCpJn5Wq34

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: och...@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>WebFonts
Labels: Pri-1
Cc: rsheeter@google.com
Owner: toyoshim@chromium.org
Project Member Comment 3 by clusterf...@chromium.org, May 4 2016
Status: Assigned
Project Member Comment 4 by sheriffbot@chromium.org, May 4 2016
Labels: M-52
Project Member Comment 5 by sheriffbot@chromium.org, May 4 2016
Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -mmoroz@google.com mmoroz@chromium.org
I don't seem to be able to access the minimized testcase. Is there a way I could gain access to that?
Attached.
fuzz-1-convert_woff2ttf_fuzzer
62.3 KB View Download
Looks like this has been fixed upstream: https://github.com/google/woff2/commit/a15a8ab
Status: Started
Thanks, I'm rolling the fixed revision.
Cc: ksakamoto@chromium.org
+ksakamoto@ for review.
kicked 'Redo' with 'Fixed'
Project Member Comment 14 by clusterf...@chromium.org, May 11 2016
ClusterFuzz has detected this issue as fixed in range 392544:392562.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6689341115465728

Fuzzer: libfuzzer_convert_woff2ttf_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x62e000022836
Crash State:
  Read
  ReconstructGlyf
  ReconstructFont
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=390845:390847
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392544:392562

Minimized Testcase (62.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97dSZqg-HWpBDcoaMTB6mRlchOzC1uhVb0rna2PzcdgP4PAczjvBF3UtYZ3GOQ_ufcQssSUs0HYDaIkvDiWkyq6hhtiNwBFQRrASkiRLBmhZb5I4LalaVDEQemXC8JMOoznz9Ptk_bwy_z4PAfXVefXAIC2Z8mY1op6KHh5IvCpJn5Wq34

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed
Blocking: 609152
Project Member Comment 17 by clusterf...@chromium.org, May 11 2016
Labels: Merge-NA
Project Member Comment 18 by sheriffbot@chromium.org, May 11 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -Restrict-View-SecurityNotify -ClusterFuzz -merge-na Clusterfuzz Merge-na
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment