Undefined-shift in tt_face_load_hmtx |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5511483371028480 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ecYXctltJkrQRE2gwoWYocqmJnVggDuul_oT5muDJMUEOCLveW3fegq3dPJruqZnU2eFB_ZHMrKoA2JxurdaoaT6WlZr53knUlv3-q9GnnK4svvQVH3691MhjRHp8EQhW7feF2kUZJlhiiM3I0yeVlmlKOg o/Im2/INPe%PDF!rerd'�%kdce trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<< traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter /Keyword>>stream Tf/CAM endobj / Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 8 2016
Why did this get assigned to me? Because of the GYP->GN flip? I don't really know anything about this fuzzer; maybe one of the PDFium folks should own this instead?
,
Jun 16 2016
dpranke@, it looks like the issue is in freetype2 (looking at top 6 stack-frames). You are the only owner for third_party/freetype2, this is why I assigned this to you. Do you think that the issue is in pdfium?
,
Jun 16 2016
This is clearly a freetype2 issue. Please note that even though the freetype folks are gladly fixing most of the bugs we report, they did not fix a bunch of signed-integer-overflows (there are too many): https://savannah.nongnu.org/bugs/?func=detailitem&item_id=46149 I don't know what they will tell about bad shifts, but I think they will fix it if there are not too many of those.
,
Jun 16 2016
dpranke@, let me assign it to you once again. If there is any other owner for freetype2, please let me know or re-assign to him.
,
Jun 16 2016
Ah, okay. Yeah, these days I probably shouldn't really be the freetype owner. bungeman@, jshin@, any idea who should actually own this?
,
Jun 27 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5511483371028480 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96Fy0JVsKASkZ32bqQXYg-VPDfhMGwq8WNhCQbXTRnACo_feZN8KlLfGkIuen7WrgKvPupyYnGqRUsDBBWF3tZSZuBJEiKAJeoR2O5ZFRcEnM6odSWmuheF3syEz__Wz9xJOOTgC4_T4c91JHXeRJCGQPnSww?testcase_id=5511483371028480 o/Im2/INPe%PDF!rerd'�%kdce trai:ler>> trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<< traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter /Keyword>>stream Tf/CAM endobj / See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5511483371028480 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96Fy0JVsKASkZ32bqQXYg-VPDfhMGwq8WNhCQbXTRnACo_feZN8KlLfGkIuen7WrgKvPupyYnGqRUsDBBWF3tZSZuBJEiKAJeoR2O5ZFRcEnM6odSWmuheF3syEz__Wz9xJOOTgC4_T4c91JHXeRJCGQPnSww?testcase_id=5511483371028480 o/Im2/INPe%PDF!rerd'�%kdce trai:ler>> trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<< traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter /Keyword>>stream Tf/CAM endobj / See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983749263327232 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94XQf_bsGlHsfQL1JLKIyJqURXQ7j16MRUtizDksPAfhliLqDnNpLNwVECcvsxDXtWjs7Ox-2YUpMMTXGwxvBUnK4P0TDXze13pLhclLV3MuJHalrZLkDA-sbnhE1kmYfnlxR8_8sUW-DxbESHBPiurQkuWeg?testcase_id=5983749263327232 o/Im2/INPe%PDF!rerd'�%kdce trai:ler>> trailer<</Root 4 10 R[/AbrF!orm4 4 obj<<>ore%QLFerd/SemiCh2densede;<< traile</Pages 4 20 R[/Abr 1/Contens[0.0 0.0 0.0 )0.0 0.0<</Contents<<.02/3DVie:�1 0]/Flter /Keyword>>stream Tf/CAM endobj / Filer: kavvaru See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4968268578422784 Fuzzer: libfuzzer_renderer_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=408222:408334 Minimized Testcase (0.00 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97vAH-U9lecr1ZVmQxjU-zBhlQTyR8l5P_ZrbA1vWEOcGjXe-fpHavySx5hceXS6jWp1l88IadyKwMSL8vTaRaGzJ7N8RjBlo6r2QMLQouaIM-K0xuS6Dah5RbYVCjWsqP9qOvMFsgyeV9b5PHzTOAkAjtzTw?testcase_id=4968268578422784 ? Filer: rnimmagadda See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Gentle Ping. @bungeman: Could you please provide some update on this issue. Thank you.
,
Jul 29 2016
I don't know why this is assigned to me. If someone wants this fixed, file a bug in launchpad (and be sure to mention which FreeType commit fixed it). We don't ship this code.
,
Aug 1 2016
Considering that Chrome depends on FreeType2 (even despite the fact that we don't ship FreeType2 with Chrome), we should take care of its security, shouldn't we? Assume that there is an exploitable vulnerability in FreeType and users get hacked with an exploit being delivered through Chrome. Sounds bad. I think that fits our threat model. Please fix me if I'm wrong.
,
Sep 20 2016
Please remember to add Internals>Plugins>PDF, so the relevant people see the bug. Better yet, go through all the CF bugs and make sure they have a component set. It's easy to query crbug.com for that. So once again, we don't ship third_party/freetype2. It would be nice if we build fuzzers and link to system freetype instead of third_party/freetype2 - that's how it is on my Linux workstation by default when I build pdfium_fuzzer. I'm not sure what build flag is triggering the use of third_party/freetype2 here. Given the above: - if this happens with system freetype, then we need to bug the freetype developers about it. The fixes then need to trickle back down to whatever distro the CF machines are running. - if this happens with third_party/freetype2 but not system freetype, then it's a WontFix because third_party/freetype2 is old by design.
,
Sep 21 2016
I was not added to Cc in comment 6 due to a bad UI in Cc box. :-)(there's a bug filed against monorail). Pdfium has FreeType 2.6.1 and a bunch of shift-related issues found by libfuzz have been fixed over the last 10 months or so. I'm afraid some of them are still present in FreeType 2.6.1 bundled by Pdfium. In that case, Pdfium's copy of FreeType has to be updated. (Chrome OS and Chrome-Android moved up to 2.7 + 5 CLs in ToT ). See https://bugs.chromium.org/p/pdfium/issues/detail?id=601
,
Sep 21 2016
See bug 274030 for bundling/stat-linking FreeType on Linux for the security and features.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453205:453227. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983749263327232 Fuzzer: libfuzzer_pdfium_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=397764:398208 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453205:453227 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96bpRKrAHN17mbXeoP5X9f3HMXuzq7078q_vqfbzw42ZGRYzPS1x35gYR2ggFIabRalTirySgzmPdPxriY20Tt6RJtDBcBxEZOwB12zH3cbF-JwJkSijvctL2ioGwZJAFjuXXOBDQXFrFI9u0gp_kPCsXqHw4e0yieDw3PNGl_a40RW-PV2nA4hXdLcs0x266fIb2_tU58NmAnGJVRzIEBsbat76yergvudCwgjH8_NGGMavBjVVKNWtUPPUr6GWG-Zj-dUPbKEA6YrzjCUHrPm8hDKTKsXkMsyzrzqHzO-2ZbMCEn30WKFz3nmonU6FUwoxlrh0gMNBBAL4-a7u1K7MYBM-AEuVwuNHBCFrhPbxCkGh4o?testcase_id=5983749263327232 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453205:453227. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4968268578422784 Fuzzer: libfuzzer_renderer_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: tt_face_load_hmtx sfnt_load_face tt_face_init Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=408222:408334 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453205:453227 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96IOkQPJ8fQVYXFLvTdQW2RSvZe6U_uQ4YgkmEGVisTZc3eRjKahF9gkFICLe1G5d0V6ktOT0Il1aVzrcEkGcmIeDapdfxhLuPiLtS7AuKa10k0e1nKBYGEGHID3oowbBkbQCOmL3Ts24xRbVOZ7UitbRpzO4Wbvp4mtcHH34eCbkliH-Tyl4IB0gX42r_3xLavfMV_nN0dChAAoN-y9bLtb5eAhFM2VHtQZsSBEQ2ZgDrEWtXtHbimbMBnovaYG29oRHYoawOd-t_MygVbR-qGP9fJgYltGA_yQCErj37SbOEVKDng1UUqwR6rDUaH_jChKck28jzneaY74J7dIA7h3tAEqD9N5zWiBdguAEEKbxs1p7k?testcase_id=4968268578422784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz testcase 4968268578422784 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmoroz@chromium.org
, Jun 7 2016Labels: -Pri-1 Pri-2
Owner: dpranke@chromium.org