Issue metadata
Sign in to add a comment
|
Security: PDFium: Out-Of-Bounds Read in CCodec_ProgressiveDecoder::ReSampleScanline
Reported by
stackexp...@gmail.com,
Jun 2 2016
|
|||||||||||||||||||||||||
Issue description
Security: PDFium: Out-Of-Bounds Read in CCodec_ProgressiveDecoder::ReSampleScanline
VULNERABILITY DETAILS
This Out-Of-Bounds Read vulnerability was caused by the malformed bmp file embedded in the PDF document. More specifically, this issue can be triggered by embedding a malformed bmp file in the XFA component.
The latest dev version of chrome (52.0.2743.19 dev-m) was vulnerable to this issue.
---------------------------
Exception Information
---------------------------
(39b8.1104): Access violation - code c0000005 (!!! second chance !!!)
eax=0000000f ebx=0a116fd0 ecx=0a15dff0 edx=00010000 esi=0a118d04 edi=00000001
eip=0175043b esp=0039f334 ebp=0039f370 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
pdfium_test!CCodec_ProgressiveDecoder::ReSampleScanline+0x41b:
0175043b 8b0c81 mov ecx,dword ptr [ecx+eax*4] ds:002b:0a15e02c=????????
---------------------------
Heap Information
---------------------------
0:000> !heap -p -a ecx
address 0a15dff0 found in
_DPH_HEAP_ROOT @ 3a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a0839f4: a15dff0 c - a15d000 2000
61188e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77621d4e ntdll!RtlDebugAllocateHeap+0x00000030
775db586 ntdll!RtlpAllocateHeap+0x000000c4
77583541 ntdll!RtlAllocateHeap+0x0000023a
016fded4 pdfium_test!_calloc_base+0x00000047 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\calloc_base.cpp @ 33]
013acb7e pdfium_test!FX_AllocOrDie+0x0000000e [core\fxcrt\include\fx_memory.h @ 39]
0174e725 pdfium_test!CCodec_ProgressiveDecoder::DetectImageType+0x000001a5 [core\fxcodec\codec\fx_codec_progress.cpp @ 1062]
0174fa3f pdfium_test!CCodec_ProgressiveDecoder::LoadImageInfo+0x0000009f [core\fxcodec\codec\fx_codec_progress.cpp @ 1290]
015f19e8 pdfium_test!XFA_LoadImageFromBuffer+0x00000078 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1073]
015f1927 pdfium_test!XFA_LoadImageData+0x00000277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
015e514b pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x0000006b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
015e51b1 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x00000011 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
015dcfa8 pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x00000018 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
013b96b7 pdfium_test!CPDFSDK_Document::GetPageView+0x00000087 [fpdfsdk\fsdk_mgr.cpp @ 268]
013ae73e pdfium_test!FORM_OnAfterLoadPage+0x0000002e [fpdfsdk\fpdfformfill.cpp @ 642]
013a5517 pdfium_test!RenderPage+0x00000047 [samples\pdfium_test.cc @ 498]
013a5b02 pdfium_test!RenderPdf+0x00000302 [samples\pdfium_test.cc @ 694]
013abb1e pdfium_test!main+0x0000042e [samples\pdfium_test.cc @ 836]
016e05d6 pdfium_test!__scrt_common_main_seh+0x000000ff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
7528338a kernel32!BaseThreadInitThunk+0x0000000e
77589a02 ntdll!__RtlUserThreadStart+0x00000070
775899d5 ntdll!_RtlUserThreadStart+0x0000001b
---------------------------
Source Code Information
---------------------------
case 8: {
int des_r = 0, des_g = 0, des_b = 0;
for (int j = pPixelWeights->m_SrcStart; j <= pPixelWeights->m_SrcEnd;
j++) {
int pixel_weight =
pPixelWeights->m_Weights[j - pPixelWeights->m_SrcStart];
unsigned long argb = m_pSrcPalette[src_scan[j]]; // <------------------ CRASHED!!!
des_r += pixel_weight * (uint8_t)(argb >> 16);
des_g += pixel_weight * (uint8_t)(argb >> 8);
des_b += pixel_weight * (uint8_t)argb;
}
*des_scan++ = (uint8_t)((des_b) >> 16);
*des_scan++ = (uint8_t)((des_g) >> 16);
*des_scan++ = (uint8_t)((des_r) >> 16);
des_scan += des_Bpp - 3;
} break;
---------------------------
Stacktrace Information
---------------------------
0:000> k
ChildEBP RetAddr
0039f370 0174d3de pdfium_test!CCodec_ProgressiveDecoder::ReSampleScanline+0x41b [core\fxcodec\codec\fx_codec_progress.cpp @ 1563]
0039f39c 017518ca pdfium_test!CCodec_ProgressiveDecoder::BmpReadScanlineCallback+0x8e [core\fxcodec\codec\fx_codec_progress.cpp @ 917]
0039f3b0 01753495 pdfium_test!bmp_read_scanline+0x1a [core\fxcodec\codec\fx_codec_bmp.cpp @ 37]
0039f3dc 0175322f pdfium_test!bmp_decode_rgb+0x215 [core\fxcodec\lbmp\fx_bmp.cpp @ 377]
0039f3ec 01751706 pdfium_test!bmp_decode_image+0x9f [core\fxcodec\lbmp\fx_bmp.cpp @ 312]
0039f3f8 0174df64 pdfium_test!CCodec_BmpModule::LoadImageW+0x26 [core\fxcodec\codec\fx_codec_bmp.cpp @ 112]
0039f434 015f1b22 pdfium_test!CCodec_ProgressiveDecoder::ContinueDecode+0x2a4 [core\fxcodec\codec\fx_codec_progress.cpp @ 2145]
0039f49c 015f1927 pdfium_test!XFA_LoadImageFromBuffer+0x1b2 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1107]
0039f4f4 015e514b pdfium_test!XFA_LoadImageData+0x277 [xfa\fxfa\app\xfa_ffwidget.cpp @ 1032]
0039f528 015e51b1 pdfium_test!CXFA_ImageLayoutData::LoadImageData+0x6b [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 96]
0039f534 0166a488 pdfium_test!CXFA_WidgetAcc::LoadImageImage+0x11 [xfa\fxfa\app\xfa_ffwidgetacc.cpp @ 1002]
0039f53c 015dcd83 pdfium_test!CXFA_FFImage::LoadWidget+0x28 [xfa\fxfa\app\xfa_ffimage.cpp @ 28]
0039f550 015dcfa8 pdfium_test!CXFA_FFPageWidgetIterator::GetWidget+0x83 [xfa\fxfa\app\xfa_ffpageview.cpp @ 198]
0039f560 013b9f4d pdfium_test!CXFA_FFPageWidgetIterator::MoveToNext+0x18 [xfa\fxfa\app\xfa_ffpageview.cpp @ 166]
0039f590 013b96b7 pdfium_test!CPDFSDK_PageView::LoadFXAnnots+0x8d [fpdfsdk\fsdk_mgr.cpp @ 921]
0039f5a4 013ae73e pdfium_test!CPDFSDK_Document::GetPageView+0x87 [fpdfsdk\fsdk_mgr.cpp @ 268]
(Inline) -------- pdfium_test!?A0x06ce08b4::FormHandleToPageView+0x2a [fpdfsdk\fpdfformfill.cpp @ 45]
0039f5b8 013a5517 pdfium_test!FORM_OnAfterLoadPage+0x2e [fpdfsdk\fpdfformfill.cpp @ 642]
0039f6ac 013a5b02 pdfium_test!RenderPage+0x47 [samples\pdfium_test.cc @ 498]
0039f7c8 013abb1e pdfium_test!RenderPdf+0x302 [samples\pdfium_test.cc @ 694]
0039f904 016e05d6 pdfium_test!main+0x42e [samples\pdfium_test.cc @ 836]
(Inline) -------- pdfium_test!invoke_main+0x1d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 74]
0039f950 7528338a pdfium_test!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
0039f95c 77589a02 kernel32!BaseThreadInitThunk+0xe
0039f99c 775899d5 ntdll!__RtlUserThreadStart+0x70
0039f9b4 00000000 ntdll!_RtlUserThreadStart+0x1b
---------------------------
PoC Diff
---------------------------
I've already did some difference reduction work. I'll attach the minimized proof-of-concept file.
The value of BITMAPINFORHEADER.biClrUsed was changed from 0x00000000 to 0x00000003.
VERSION
Chrome Version: [52.0.2743.19] + [dev]
Operating System: [Windows 7 SP1]
REPRODUCTION CASE
Both the original normal bmp file, the malformed bmp file, and the proof-of-concept PDF file were attached.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab]
,
Jun 2 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5762716677701632
,
Jun 2 2016
,
Jun 3 2016
tsepez, could you PTAL?
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
hong_zhang, could you please route this security bug to the appropriate person? thanks.
,
Jun 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762716677701632 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x6090000016ac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Minimized Testcase (3.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97SCyXPnUu1CaLcPJ9KFEJGlM_3QpKIGIxy1B2mlwcCgfN6Ul2cyjElHp8S-urmDbh1Le9Y2jkE_RdxFg_HQj22eE6o7-Y8J3cqwXzd6JG6tDvr6AjVSkwlVwoDRpBcEgWb08rQTsjaemKHpeDK_20aoq4QeQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762716677701632 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x6090000016ac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=399086:399117 Minimized Testcase (3.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97SCyXPnUu1CaLcPJ9KFEJGlM_3QpKIGIxy1B2mlwcCgfN6Ul2cyjElHp8S-urmDbh1Le9Y2jkE_RdxFg_HQj22eE6o7-Y8J3cqwXzd6JG6tDvr6AjVSkwlVwoDRpBcEgWb08rQTsjaemKHpeDK_20aoq4QeQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 10 2016
ClusterFuzz has detected this issue as fixed in range 399086:399117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762716677701632 Uploader: felt@google.com Job Type: linux_asan_pdfium Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x6090000016ac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=393856:393893 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=399086:399117 Minimized Testcase (3.92 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97SCyXPnUu1CaLcPJ9KFEJGlM_3QpKIGIxy1B2mlwcCgfN6Ul2cyjElHp8S-urmDbh1Le9Y2jkE_RdxFg_HQj22eE6o7-Y8J3cqwXzd6JG6tDvr6AjVSkwlVwoDRpBcEgWb08rQTsjaemKHpeDK_20aoq4QeQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 14 2016
,
Jun 14 2016
Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.
,
Jun 15 2016
[Bulk edit] Per inferno@, Security_Impact=None bugs should not be release blockers.
,
Jun 15 2016
,
Jun 16 2016
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6332697475809280 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000edb4 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94OwFNU4AXQCalWJJ3y-LF1PX3SLMEhEHo_6GS2SFtLFGIG5BqGivYAs9QFK2UrRUtjb6GcJkq6ONY9jkkGwmRPGu3lmqzG1kOX0MftsGEKnKJQSsu8vY8gUVBw4NWdEszecNw9_Lf4qU-11NqNswyZR8ZeAA?testcase_id=6332697475809280 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6332697475809280 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000edb4 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94OwFNU4AXQCalWJJ3y-LF1PX3SLMEhEHo_6GS2SFtLFGIG5BqGivYAs9QFK2UrRUtjb6GcJkq6ONY9jkkGwmRPGu3lmqzG1kOX0MftsGEKnKJQSsu8vY8gUVBw4NWdEszecNw9_Lf4qU-11NqNswyZR8ZeAA?testcase_id=6332697475809280 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6597008517496832 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60b00000af8c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle8 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97BrDGDdmIC4VclNwrK_8jQYqtbTdTXpUqJG21i7DsK6MkVj3OT5BHVmFrThxKKsZXqwtDjX-7dT_UzNCOLMXYKF3d40znwrV2sxZd0QLDF8VU5mcWzsD98ELRZVsc_lMaapdOW9oiDQsqSRmhYGWoc6bd9rw?testcase_id=6597008517496832 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6489690303889408 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WKNmCpaSBMvQ-_JHQCVkD0Gsudny5kUGhH4ofU49_jPs86Lkm-jxrqmH0XbT2kZ_ddd6Lbky_vumLsbX86uV4KLMDl99ZljhINQTxpT_o7W_jFss6t0m0iyqp2vVQeaxVVrWmz_UknNJJsxN0YXTSU3MXpA?testcase_id=6489690303889408 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041065400565760 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv942KXrrLM12P7So2YOJMi_NzIabl75UYd1UNDwWtKxOCVpB9b6YYrJW84n1NCtDXTn3ybCTtIlUNdZuE7S2G1cYiFoO5Op5B73h0Lua7dHydLZ3LkHQf7aABpAWmEGgykXBgMVYSiCOpJSpLN73HFbQ8jwoZA?testcase_id=6041065400565760 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5774050907652096 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x606000001fac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: High Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94wFg-WfpgbPi1_86x7mIRAuFO0dSwrcGavKlMDqwjSO96c5UJ-2O3uHQkwMdMfh3GT9KNcDWLDIbpFuO8tmCYANAM3X3SVk6pfD9lvBU7f2k_U6cVucB3irTI7arfbOuFSFWwFwuqRW0nZn-1tNXnugk6eKA?testcase_id=5774050907652096 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6166034151374848 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0x6060000613ac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94MbclsdMiaoLfFN-juSF67GAUNFBPonAe1peD0xTiK_mIAa_YFpVfvgWxafrGXLowv-nEA1tLZS8Jc6n08pDyXSMEPJ1RHK0hU_DyheChOtxy32FN59rHVVFIN0KeriiuzL0Mv4BwKhqUW5gZ-M-xXx9BeXw?testcase_id=6166034151374848 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4891529315614720 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_S9A9bbx1hw7z37qCioVCj2cIwO5ByRcupoWviJ2qotqUHY6oDB_aAH6GxTGxneMDVK0kw1Rr3xi69UE9Vy6RxJ87NHfafpHibrZgTaXOiP-YxQdAdriHKNCuEDyDDcAi4uZm1LWvIC4rt5B5W_0PVh6a6A?testcase_id=4891529315614720 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5608524847775744 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cwZ_Q-AKxEI7skMDXoS-B4FzjnnPOVA3jTUpWQT57TalcuyfabzHJGivpaJkJiSFRFK8kZ-tUHaR8aomgSSfBglPJROtWjT2UGKACui7dCbMx5HlNi1-ZeBwGguZUzg26VFW3IG1b0SiJJcaCx2uL6KRWLw?testcase_id=5608524847775744 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6160083272859648 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VDT9x-5o9LHpuc9fdvvrTNck27J5G8CBExQ8yUKOeqPASBSjZmPgi3uJXyZJSGVCMyhTfn1h2tRIsMwSYjvmBKbHv5gSpLfPDKLNFPoLtvQAgxXHJmsDr3Mz305Qmig-wEGZXTjwmbqWvDGZKnv38F2OA-Q?testcase_id=6160083272859648 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4754449419730944 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ODiCmpc6Ia_neABdIzaVLKBx9w8YkiGujkbXLhmR-l6SZUePA4Y6fiBgakJwmX7h6pJSFEQ_AyyqaUKPB3BXEZqAJamUzePUyFj3YQyMZMLmK-F2KvcQgoSiswbpacFtzss5SYC31nWEv8VMxGGKnd4u7Mg?testcase_id=4754449419730944 Filer: inferno See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6404518661324800 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60b00000b27c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle8 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97XCmg-UTVYSn8u2bOrfBOp_soxLWZNuShVYkDkDa3NC1PSn42Xg1BcWpuxOdjad3kNmCyhrG1IV1JBEAkgVkhJUy3WqhZhD0WnV447zFERThYBN6o-BlvhbDfSO-YCj5zzreMo3SlFp_7tZf-p6hcwnhuDmQ?testcase_id=6404518661324800 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5868544793509888 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000eddc Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_read_scanline Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97wDB3qLyPrjkZKBi6WAhAbRBUu7YnLuznZM_DrlI4XGolfAyjfS0jJSyQmCcYQ1xLx6fkO-JiKINScT0EqHUoOH2_lFNnq-Q5WHEfptTf48d0nR1TbG3viVo0Zx2OtOEjKTjfBntgB5SITjsrIH09gy5B4xA?testcase_id=5868544793509888 Filer: tanin See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4754449419730944 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ODiCmpc6Ia_neABdIzaVLKBx9w8YkiGujkbXLhmR-l6SZUePA4Y6fiBgakJwmX7h6pJSFEQ_AyyqaUKPB3BXEZqAJamUzePUyFj3YQyMZMLmK-F2KvcQgoSiswbpacFtzss5SYC31nWEv8VMxGGKnd4u7Mg?testcase_id=4754449419730944 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041065400565760 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv942KXrrLM12P7So2YOJMi_NzIabl75UYd1UNDwWtKxOCVpB9b6YYrJW84n1NCtDXTn3ybCTtIlUNdZuE7S2G1cYiFoO5Op5B73h0Lua7dHydLZ3LkHQf7aABpAWmEGgykXBgMVYSiCOpJSpLN73HFbQ8jwoZA?testcase_id=6041065400565760 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6489690303889408 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WKNmCpaSBMvQ-_JHQCVkD0Gsudny5kUGhH4ofU49_jPs86Lkm-jxrqmH0XbT2kZ_ddd6Lbky_vumLsbX86uV4KLMDl99ZljhINQTxpT_o7W_jFss6t0m0iyqp2vVQeaxVVrWmz_UknNJJsxN0YXTSU3MXpA?testcase_id=6489690303889408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6160083272859648 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VDT9x-5o9LHpuc9fdvvrTNck27J5G8CBExQ8yUKOeqPASBSjZmPgi3uJXyZJSGVCMyhTfn1h2tRIsMwSYjvmBKbHv5gSpLfPDKLNFPoLtvQAgxXHJmsDr3Mz305Qmig-wEGZXTjwmbqWvDGZKnv38F2OA-Q?testcase_id=6160083272859648 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4891529315614720 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_S9A9bbx1hw7z37qCioVCj2cIwO5ByRcupoWviJ2qotqUHY6oDB_aAH6GxTGxneMDVK0kw1Rr3xi69UE9Vy6RxJ87NHfafpHibrZgTaXOiP-YxQdAdriHKNCuEDyDDcAi4uZm1LWvIC4rt5B5W_0PVh6a6A?testcase_id=4891529315614720 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410288:410317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5608524847775744 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=410288:410317 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cwZ_Q-AKxEI7skMDXoS-B4FzjnnPOVA3jTUpWQT57TalcuyfabzHJGivpaJkJiSFRFK8kZ-tUHaR8aomgSSfBglPJROtWjT2UGKACui7dCbMx5HlNi1-ZeBwGguZUzg26VFW3IG1b0SiJJcaCx2uL6KRWLw?testcase_id=5608524847775744 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
Can I ask that when do you plan to fix these XFA related issues?
,
Aug 9 2016
XFA is currently disabled on master. We will fix these before we re-enable XFA.
,
Sep 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4533181829349376 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000ea1c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97k4tKneFVETwVw0TdzhU8d9BldwJf5mkR6MhjthIBfRDay4kNgSmsahWiVHJSFuILIvU0moHTROFxjAikqsV_8VGAeHEkAnRxm6xjIAJiygK5CVO8YyZXk0d5oOjOntr5_fnl23t04gwPBUjCkoVH-CbPa-g?testcase_id=4533181829349376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6171829479931904 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60800000bf80 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Recommended Security Severity: Medium Minimized Testcase (0.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_kS5DaxDkeky38tST0Px7QUbcZSaq0iYmG7FHJzUqYHK9mnQl_fWv3O3gpbvOuoSxoHYFp67RRm570NrrLBJMNkhViCyPSTPa_gich2DEi-Ac9ryszFhjgYsJ0t6h-Te4lyyen1CeOU7fYBpDdj9mB6dluQ?testcase_id=6171829479931904 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 8 2016
Kindly reminder: this issue is still reproducible.
,
Oct 14 2016
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5868544793509888 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000eddc Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_read_scanline Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv973dyLmTHMjqZ8hpdrlLMbe5GbIDiuWEg179it3VIZezmLrQo3FQo7yDMkp0dLCRGwphADp9U1MHsEf7TddjShMCg6S0v-XNvV9DiDlav2wqt2IlFoQ1EXH2VG7a3MbP6GqeM4d4676rdKBqBpimU_F7Oa-R_7FDgc-ZyoemeF-PSXUmH2_hdka9vUeMXpn24HM3C3ryJfO_EPyKncJPeLI0NXZhZxIcyhNOU0U38jtut1MzNImODeSTplsE-U2XaTT0A5axGWA_908sQ11qeOCp7Khb1mzkXKouRlYt6SRHUPa_vZLovRQ6_ZDy4h9_MoTvQLmzqvKGbrrJitJv-uTOPnEgGtQzudYuUJmCvzwb85f3d8?testcase_id=5868544793509888 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
https://pdfium.googlesource.com/pdfium/+/73c9f3bb3d82563d6d4496c4b0204d5c0825e8a2 "fixed" this.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6171829479931904 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60800000bf80 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Sanitizer: address (ASAN) Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95N6apJ8h_kVncfyRcBX2c9X6LCnpapaNPChg6skNINjwqfjnNKaUVzgR1WuOFW3ZJmFMy_08U0iyOQ0oSkFm7nd-Iq4GW53Q1y9eGh_z9yzFpSJBOS7f9nXCYJjjkjTmxElwS3jbOyC068fEncEkYIrXp8XAdSYo7MCHQkTUiDkJ5nE0o9fEXqkyoXpfBpdQHGMqq2yeR6DHbBeKSFL-9r_r0UWO2LzzVfmLKxEjSp9uuSdgt3vCsxCL-k5jVkuJ2Xsv04_F_nRgh6I5f2MGV-w0Qpro31oo_RV1-GQJMy9jD8BOx04qVEUAJcmD1duNLAwOV4boLRrRm2mkjJhgo67SSkEZS6k0b1xsGho4AdSIfIAF0?testcase_id=6171829479931904 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6404518661324800 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60b00000b27c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle8 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97KNDjEr2FRm8rd1HikgeQRCP011XfDOBxvMTTz-mCYJVLOV5ry19W9Mx6bDHx4Pi82uNRIy-s9-i9rmmA9zt5yXOLlilC5qxxAbrPyj3e5O1vLPaJ_gB6XwloSGLt71dptUD0WvSJz-5s3lyclqu7G8TWDNahNbrOctNxKt1VAyB37qSRp9WyhGINH_-ZEccmfgqqnjaEnVr6CtdMjkyBd5CacvD42DJHHg-r71sq8Y3XcbrkwwL89-Og4dYyBBQQ4RSdjvtBN9Z4NTZXw1C6zYAD4p0uZn89v0BNjDZDWznp-FatcncycJOAUBiBsUDEbKzLyohV3rgBL2o8tqkRzi1ESGe8MqhTz_WHT8-ibI2IKEcM?testcase_id=6404518661324800 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453265:453313. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4533181829349376 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000ea1c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=453265:453313 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95Oll6nTjgYqx1kj00JQdoV6c5dQVGOJTf7DEAM7O8ECCdBXli0SeuAwrETOhmGbiWsYia1BWCu2oiLCXOzw3BhVnr48DNufK3FUySt3LvCcxZ8KqlfPyGKSacgeISF75g0PLaW79mT3XMdGS8qhbQhkqViyPdeO4Vwunx53J5k74dk_AczUfrJEz_0B57ozAAqZGavX4a82OLXYilxrjc_R0i3llM0fAT0_j94leYDpP8G9vCOlkLd5FDl46C4k7WmGPXhMjFpdJnRYr1x8TtEoI4_D_KcOQyHwxeYV5uTal_MybPCJSmz074r_clQRM-EUxgNxCpNg1ESNoCriPKvs5ucNIr0RoCjqTDA0qznecJEp5Y?testcase_id=4533181829349376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 16 2017
,
May 23 2017
,
Jun 9 2017
Re-running clusterfuzz
,
Jun 13 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/6500c6faf82f636d55c9ca5682711022890bef1d commit 6500c6faf82f636d55c9ca5682711022890bef1d Author: Nicolas Pena <npm@chromium.org> Date: Tue Jun 13 16:50:49 2017 Check validity of color indices in bmp_decode_rgb The pal_num member of bmp_ptr indicates the number of color indices used by the bitmap. This CL returns an error when an invalid index is found, since otherwise a heap-buffer-overflow can occur since the size of m_pSrcPalette is calculated based on pal_num. Bug: chromium:616670 Change-Id: I397958704bed1aa1ae259016ffd5033c07a801ee Reviewed-on: https://pdfium-review.googlesource.com/6470 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/6500c6faf82f636d55c9ca5682711022890bef1d/core/fxcodec/lbmp/fx_bmp.cpp
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=4533181829349376 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000ea1c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4533181829349376 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6404518661324800 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60b00000b27c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle8 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6404518661324800 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6597008517496832 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60b00000af8c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle8 Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6597008517496832 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6160083272859648 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6160083272859648 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6489690303889408 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6489690303889408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=5868544793509888 Fuzzer: pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000eddc Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_read_scanline Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5868544793509888 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=5608524847775744 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5608524847775744 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6166034151374848 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0x6060000613ac Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6166034151374848 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=4891529315614720 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4891529315614720 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=4754449419730944 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4754449419730944 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6332697475809280 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60300000edb4 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6332697475809280 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6041065400565760 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60200001f01c Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rle4 Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6041065400565760 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
ClusterFuzz has detected this issue as fixed in range 479013:479090. Detailed report: https://clusterfuzz.com/testcase?key=6171829479931904 Fuzzer: libFuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x60800000bf80 Crash State: CCodec_ProgressiveDecoder::ReSampleScanline CCodec_ProgressiveDecoder::BmpReadScanlineCallback bmp_decode_rgb Sanitizer: address (ASAN) Recommended Security Severity: Medium Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=479013:479090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6171829479931904 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2017
,
Jul 14 2017
ClusterFuzz testcase 5774050907652096 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jul 14 2017
No Clusterfuzz, no.
,
Aug 29 2017
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
,
Sep 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 Deleted