Issue metadata
Sign in to add a comment
|
Security: PDFium: Out-Of-Bounds Read in GetDWord_LSBFirst
Reported by
stackexp...@gmail.com,
Jun 2 2016
|
||||||||||||||||||||||||
Issue description
Security: PDFium: Out-Of-Bounds Read in GetDWord_LSBFirst
VULNERABILITY DETAILS
This Out-Of-Bounds Read vulnerability was caused by the malformed bmp file embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed bmp file in the XFA component.
The latest dev version of chrome (52.0.2743.19 dev-m) was vulnerable to this issue.
---------------------------
Exception Information
---------------------------
(33f4.5830): Access violation - code c0000005 (!!! second chance !!!)
eax=0a11affe ebx=0953cfc0 ecx=00004d42 edx=0a11affe esi=0a11ef38 edi=00000000
eip=006030e6 esp=0107f7a8 ebp=0107f7a8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
pdfium_test!`anonymous namespace'::GetDWord_LSBFirst+0x6:
006030e6 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0a11b001=??
---------------------------
Heap Information
---------------------------
0:000> !heap -p -a edx
address 0a11affe found in
_DPH_HEAP_ROOT @ 3881000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a033c64: a11aff0 e - a11a000 2000
61a48e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
775db586 ntdll!RtlpAllocateHeap+0x000000c4
77583541 ntdll!RtlAllocateHeap+0x0000023a
005aded4 pdfium_test!_calloc_base+0x00000047 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\calloc_base.cpp @ 33]
005fe5b5 pdfium_test!CCodec_ProgressiveDecoder::DetectImageType+0x00000035 [core\fxcodec\codec\fx_codec_progress.cpp @ 1017]
005ffa3f pdfium_test!CCodec_ProgressiveDecoder::LoadImageInfo+0x0000009f [core\fxcodec\codec\fx_codec_progress.cpp @ 1290]
004a19e8 pdfium_test!XFA_LoadImageFromBuffer+0x00000078 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1073]
004a1927 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0049514b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
004951b1 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0048cfa8 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
002696b7 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
0025e73e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
00255517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
00255b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
0025bb1e pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
005905d6 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
7528338a kernel32!BaseThreadInitThunk+0x0000000e
77589a02 ntdll!__RtlUserThreadStart+0x00000070
775899d5 ntdll!_RtlUserThreadStart+0x0000001b
---------------------------
Source Code Information
---------------------------
// TODO(thestig): Replace with FXDWORD_GET_LSBFIRST?
uint32_t GetDWord_LSBFirst(uint8_t* p) {
return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
}
0:000> u eip
pdfium_test!`anonymous namespace'::GetDWord_LSBFirst+0x6 [core\fxcodec\lbmp\fx_bmp.cpp @ 18]:
006030e6 0fb64203 movzx eax,byte ptr [edx+3] ; <------ p[3], oob access!!!
006030ea 0fb64a02 movzx ecx,byte ptr [edx+2] ; <------ p[2]
006030ee c1e008 shl eax,8
006030f1 0bc1 or eax,ecx
006030f3 0fb64a01 movzx ecx,byte ptr [edx+1] ; <------ p[1]
006030f7 c1e008 shl eax,8
006030fa 0bc1 or eax,ecx
006030fc 0fb60a movzx ecx,byte ptr [edx] ; <------ p[0]
---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr
0107f7a8 00603df6 pdfium_test!`anonymous namespace'::GetDWord_LSBFirst+0x6 [core\fxcodec\lbmp\fx_bmp.cpp @ 18]
0107f7c8 00601738 pdfium_test!bmp_read_header+0xf6 [core\fxcodec\lbmp\fx_bmp.cpp @ 88]
0107f7d8 005fe68d pdfium_test!CCodec_BmpModule::ReadHeader+0x28 [core\fxcodec\codec\fx_codec_bmp.cpp @ 90]
0107f824 005ffa3f pdfium_test!CCodec_ProgressiveDecoder::DetectImageType+0x10d [core\fxcodec\codec\fx_codec_progress.cpp @ 1046]
0107f840 004a19e8 pdfium_test!CCodec_ProgressiveDecoder::LoadImageInfo+0x9f [core\fxcodec\codec\fx_codec_progress.cpp @ 1290]
0107f8b0 004a1927 pdfium_test!XFA_LoadImageFromBuffer+0x78 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1073]
0107f908 0049514b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0107f93c 004951b1 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
0107f948 0051a488 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0107f950 0048cd83 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
0107f964 0048cfa8 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
0107f974 00269f4d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
0107f9a4 002696b7 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
0107f9b8 0025e73e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
0107f9cc 00255517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
0107fac0 00255b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
0107fbdc 0025bb1e pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
0107fd18 005905d6 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
0107fd64 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
0107fd70 77589a02 kernel32!BaseThreadInitThunk+0xe
0107fdb0 775899d5 ntdll!__RtlUserThreadStart+0x70
0107fdc8 00000000 ntdll!_RtlUserThreadStart+0x1b
---------------------------
PoC Diff
---------------------------
I've already did some difference reduction work. I'll attach the minimized proof-of-concept file.
The content of the minimized malformed bmp file can be presented as follows (in hex mode).
42 4D 7F 77 78 DD DD DD DD DD DD DD DD 00
VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
Both the original normal bmp file, the malformed bmp file, and the proof-of-concept PDF file were attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5680331957207040
,
Jun 2 2016
,
Jun 3 2016
Thanks for the report. ochang@, could you PTAL?
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
hong_zhang, could you please route this security bug to the appropriate person? thanks.
,
Jun 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5680331957207040 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60900000f53e Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Minimized Testcase (3.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ER4lpoTBDklulld-pVYM7G_OyP6HkluTvK6pER3A8LkdWh6hS4JeWA9r-f0Iury1RsQEMPkRBRTU9QwUUo5rLhaoH8zdx0zsckxS3DAXyQC5FaBStV7vq4Z1ZNrMhEh5yW7RhwOAuJ4ncGOEjSd0ZDeKODQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
Issue 618290 has been merged into this issue.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5680331957207040 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60900000f2fe Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96YBQQBBizeKRffa_CfeutuZY3Hn5hM38IicN4P8ilblZfl6LAXso0ZJaUIlOV8zXgkQ2pEAGrUD6TRD0B5FJVRJQHcfhlYrtoUVz77sb1rlC4ZBg6I4hZuUacNyjE5hmvrgM55p-Fzr8mYit8TR9IrQBEl9g See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5680331957207040 Uploader: felt@google.com Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60900000f2fe Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=399086:399117 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96YBQQBBizeKRffa_CfeutuZY3Hn5hM38IicN4P8ilblZfl6LAXso0ZJaUIlOV8zXgkQ2pEAGrUD6TRD0B5FJVRJQHcfhlYrtoUVz77sb1rlC4ZBg6I4hZuUacNyjE5hmvrgM55p-Fzr8mYit8TR9IrQBEl9g See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 15 2016
[Bulk edit] Per inferno@, Security_Impact=None bugs should not be release blockers.
,
Jun 15 2016
,
Jun 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4786702841544704 Fuzzer: libfuzzer_pdf_codec_png_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60200000ee3e Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398287:398366 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966UFknlXOipiRCAMXkkm280WK2L7E-A-_GKuY2-1ERk75nvQhenI_U97iIcZNp0rg0U0cC9eq9QuYFY1t0HgJ6w1uDJEuC9zc2jqlh7RodFOXiD4VLuf7SjPHXFA6rCHVqQLRw0k5oRqFWSSe0VR6Vf0jIlw Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 16 2016
,
Jun 16 2016
,
Jun 16 2016
ClusterFuzz has detected this issue as fixed in range 400121:400191. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4786702841544704 Fuzzer: libfuzzer_pdf_codec_png_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60200000ee3e Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398287:398366 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400121:400191 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966UFknlXOipiRCAMXkkm280WK2L7E-A-_GKuY2-1ERk75nvQhenI_U97iIcZNp0rg0U0cC9eq9QuYFY1t0HgJ6w1uDJEuC9zc2jqlh7RodFOXiD4VLuf7SjPHXFA6rCHVqQLRw0k5oRqFWSSe0VR6Vf0jIlw See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4559347355222016 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60200000ee5f Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97zrU2V89pQAETKZ78kUIGGD7qU9sOeqmeVs5krz_75-tW-xqWBnVzRFGNygA94MdWwogc6xmk0v2-8Q4j2opctTkFupbGpRi6ahOofHxDhgF7vakRYV3O34kwCdpO5gWGMv3rzNm7ZKt1DK2XSJEkKsx5b6w?testcase_id=4559347355222016 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4872700048965632 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 1 Crash Address: 0x60d00000d000 Crash State: bmp_decode_rle4 CCodec_BmpModule::LoadImage CCodec_ProgressiveDecoder::ContinueDecode Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (1.49 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94CuB60P9f8zBmcTV-taAKNsvm5OmoG-fVyyaEzu6Wx2Wp2gDZqN_T7CU9OGBBgfHtXvQO-_fYXNN5_A1nDNrAsitolXALpfj5PPZOZiznfOm0TqyUe9msThRcsnTqpmuPMoSPwn64eMWaF0V8C1HrK3kPdGg?testcase_id=4872700048965632 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4738385025695744 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60600000ef92 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jJKPp1Dn1641NJXpuiDi1n6HN_i1zF-TpiahTHpEhm4o88_jU5e_2IwCTMvIRGRhvRmRBf6Z6B4vpgTDqx75xWNfufpVHaBklkRKw8JnxraiD04_XG-aaSD6G4-T8YVloC24zMKWCls8ieDHvbJKwYX_DqQ?testcase_id=4738385025695744 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4559347355222016 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60200000ee5f Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97zrU2V89pQAETKZ78kUIGGD7qU9sOeqmeVs5krz_75-tW-xqWBnVzRFGNygA94MdWwogc6xmk0v2-8Q4j2opctTkFupbGpRi6ahOofHxDhgF7vakRYV3O34kwCdpO5gWGMv3rzNm7ZKt1DK2XSJEkKsx5b6w?testcase_id=4559347355222016 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4928728933335040 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60300000ed8e Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94wsrKFGfuESxHR2wsUzne_-uZE334DcN7GWnh5F6z9ZMSrEe5D3nfBSaSM_u28f57wqEVZ0vy2MZn4-jSnoG5mWwoicRFVDhintmYRMQpx30hgflpyKnWFd1cRvx00o1eClvtwNYK0_rkVhP9ySUpICGsD3g?testcase_id=4928728933335040 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6269289443360768 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60400000dfb2 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96NQF4WEuFbzjmhR7N-mCOh35vXaO3rI4K38gsldzc8Wxs1iGbnDJCc23Aq-7Z8lp5g64izzb5gRZqJyR2KRUG6S70e6pLVCA3UCASVpWVUMqAUck3rOJ1cOAxeK2OerOm3vktMTzYQ-sXJI2NEuR9NVf33Pg?testcase_id=6269289443360768 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
,
Jul 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5096258192801792 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60300000efc1 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95FipuoO2DaTQCVYT8RH8UH7FXhjzWBLlFQw9ui3mhLhVGD2ZAutuApinc-H6ZUq8q-EKnZeu5PrEzXq8mshY0E_sId3THEGUY_avy6ApXSG4U4Y7HqTSZte444z0IyuCY9TTE78XimX5zZVJuzTLDB8JoYcA?testcase_id=5096258192801792 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 26 2016
ClusterFuzz has detected this issue as fixed in range 407175:407311. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6269289443360768 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60400000dfb2 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=407175:407311 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv953qOrjCLUjNqfmNUAghFOVNLHYDSzI3WaJJN8jJAL7iLmhJDPGVqQyMbPo5M4N2BsW3SpZz9DBYfN29UGNxDedg9p-IoUKl8nlASNcHfm5j0a1TTksYxyo3FvQ6ibnbk_gp-vdPDVgFWHTyVOzS_y6fWNU1g?testcase_id=6269289443360768 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5514760116502528 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60400000de31 Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94q47L1QBV-fUpLLhT7DaJZWid1XEJcciKPQZYyIM9tFb8p5rz2EkOfmEZ1YhkXY9--ZBIQv_rdx2BECJ3a9_qN9WwXcBEMmQfEWypiXzIzAr0xWP0qZUp_Lwts6AasHMVDtsWfaawAepjz-XvRBaA3kodoQg?testcase_id=5514760116502528 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5538310495928320 Fuzzer: afl_pdf_codec_bmp_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60300000efc9 Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ONWziYk2-ly8EAWbi84PAAfSXssbTDG0h_toxj6CfdB_u2QBOm0n0u9KybEeUEZLunF6_2nldQXU9HLFc12d9m2JBhloftv_dWyWiHINmtjyQEoG9zav5NDMzmh0S3NI7hsm8YLb-TFJ3MvI1V73FaIysYA?testcase_id=5538310495928320 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 8 2016
Kindly reminder: this issue is still reproducible.
,
Oct 12 2016
Issue 655106 has been merged into this issue.
,
Oct 14 2016
,
Oct 17 2016
Issue 656562 has been merged into this issue.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5514760116502528 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60400000de31 Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95wDrS-t1T0kgFV_Z8S390aWa0d0R8PeasFJgLuP8vsexPcGgCpd1xVjEJbzl8B06xngMT5yMtXNTeH7KWZ8MllMbiIy3e0Acp6_ngQDe524b78mkC11TfwfkzJl2ngFP3giUUbwOKUbIQPAmUorxe960LpKwoebkS7_-9oDxlJKTN6PmVh9Ms6Gbh0AQI_E2JaFXRdry4MZAoZZSz0zP9Auh8Z0BrUaiTRAESEzQHhRYzM9VI6C9FnMJmdYzs1uoLjEERObHAnERD6mlcLrMuSwL7kuWdaWy8Spv21lATkVxgRD-gU9gwO0H0nj605SkVwi47GHAb7RdoKxNdePvPxnK2TTJRrxTwYHtFDpV8Z60fgtm8?testcase_id=5514760116502528 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
Another bug "fixed" by https://pdfium.googlesource.com/pdfium/+/73c9f3bb3d82563d6d4496c4b0204d5c0825e8a2
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4928728933335040 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x60300000ed8e Crash State: GetDWord_LSBFirst bmp_read_header CCodec_BmpModule::ReadHeader Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94HeYZkM9N0DwX9Aeo37S_r443YKE5Ahh7OoKLlmW7gfrB6UUE08p3khdBiiV14X7mppuB6vP7SPN6_64Pjmh7UVyI2BuT8uCbaUjZxfWbZa52rJcEK7Ahpm-NRtMFEQvzyJwjAUG8LBSFhx9bEGcURBSMLq0loFfmoLVypuE4ylAarjI0UMRc2BpmVzofKUSypwsFfa2k2yWm50JM5HU9jMuYQMpsuUQUEG1CSaB-Ajz9-ncSZimzYYXnRDlB_RonjNqlPpsGJxTHkjA04sNu9QboC_oWJFrhJsQlHBGpexSbKAeVSQJkcIzQ4R6LIPAvg7pAhaUiBDZDcPhvN3i2w-oMKkjC_KaIk8xt2RI_1l9vtb_A?testcase_id=4928728933335040 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2017
,
Aug 29 2017
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 24 2017
For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md. The link referenced in the description is no longer valid. (bulk edit)
,
Nov 7 2017
,
Jan 29 2018
,
Jan 29 2018
,
Feb 5 2018
ClusterFuzz testcase 5538310495928320 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Feb 5 2018
Cannot reproduce this locally. Looked at the stats for this issue and no instances are being reported. Given that this doesn't even build correctly without modifying the args.gn being used, I am pretty sure ClusterFuzz is wrong.
,
May 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 Deleted