Issue metadata
Sign in to add a comment
|
Security: [PDFium]AddressSanitizer: negative-size-param
Reported by
marcin.t...@gmail.com,
Jun 8 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Vulnerability : Negative-size-param VERSION Pdfium - git version from https://pdfium.googlesource.com/pdfium/ (today) Compiled : GYP_DEFINES='asan=1 symbol_level=1' gclient runhooks ; ninja -C out/Debug Operating System: Ubuntu 14.04 LTS x64 REPRODUCTION CASE ./pdf_codec_tiff_fuzzer pdf_tiff-negative-size-param:-1.tiff ASAN LOG (symbolized): ================================================================= ==47348==ERROR: AddressSanitizer: negative-size-param: (size=-500) #0 0x499538 in __asan_memcpy ??:? #1 0x4dfff6 in ReadBlock /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/xfa_codec_fuzzer.h:53:7 #2 0x605716 in _tiff_read /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_tiff.cpp:94:11 #3 0xa0d0b6 in TIFFFetchDirectory /home/mtowalski/git_pdfium/pdfium/out/Debug/../../third_party/libtiff/tif_dirread.c:4521:10 #4 0xa03d53 in TIFFReadDirectory /home/mtowalski/git_pdfium/pdfium/out/Debug/../../third_party/libtiff/tif_dirread.c:3415:11 #5 0xa80225 in TIFFClientOpen /home/mtowalski/git_pdfium/pdfium/out/Debug/../../third_party/libtiff/tif_open.c:466:8 #6 0x605463 in _tiff_open /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_tiff.cpp:158:15 #7 0x607285 in InitDecoder /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_tiff.cpp:212:12 #8 0x60c71f in CreateDecoder /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_tiff.cpp:514:8 #9 0x5f5c6c in DetectImageType /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:1229:24 #10 0x5f6bfb in LoadImageInfo /home/mtowalski/git_pdfium/pdfium/out/Debug/../../core/fxcodec/codec/fx_codec_progress.cpp:1282:7 #11 0x4de179 in Fuzz /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/xfa_codec_fuzzer.h:22:29 #12 0x4ddf46 in LLVMFuzzerTestOneInput /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/pdf_codec_tiff_fuzzer.cc:8:10 #13 0x4e5f12 in main /home/mtowalski/git_pdfium/pdfium/out/Debug/../../testing/libfuzzer/unittest_main.cc:39:5 #14 0x7f94f78d6f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 #15 0x41bcde in _start ??:? AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: negative-size-param (/home/mtowalski/git_pdfium/pdfium/out/Debug/pdf_codec_tiff_fuzzer+0x499538) ==47348==ABORTING
,
Jun 10 2016
We already found this.
,
Jun 10 2016
,
Jun 10 2016
,
Jun 10 2016
ochang -- Can you dedup this to the bug where we already found this? Thanks.
,
Jun 10 2016
I don't think we filed a bug for it, but CF found the bug already 3 days ago.
,
Jun 10 2016
So I was first with filled bug ;)
,
Jun 10 2016
,
Jun 11 2016
,
Jun 13 2016
,
Jun 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5640910633435136 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: XFACodecFuzzer::Reader::ReadBlock tiff_read TIFFFetchDirectory Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96CT3-v2UWni8QbMFEFjLWO002bFaegw7wtnpWY7bByk3EChdxrr1m90uPEJpJyYWigF87aEP5rtP4wShojUpGJYilSsh8j4GznQ3REtwFk6V-d6ryCmCXM_6nikFhh-aTWEqJqP0htzLhHDS_IdTT6eXY5jw Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 16 2016
,
Jun 16 2016
ClusterFuzz has detected this issue as fixed in range 400121:400191. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5640910633435136 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: XFACodecFuzzer::Reader::ReadBlock tiff_read TIFFFetchDirectory Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400121:400191 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96CT3-v2UWni8QbMFEFjLWO002bFaegw7wtnpWY7bByk3EChdxrr1m90uPEJpJyYWigF87aEP5rtP4wShojUpGJYilSsh8j4GznQ3REtwFk6V-d6ryCmCXM_6nikFhh-aTWEqJqP0htzLhHDS_IdTT6eXY5jw See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6511798518022144 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: XFACodecFuzzer::Reader::ReadBlock tiff_read TIFFFetchDirectory Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XThBT7d2VPp6iSCoPcJFRZk105vJvpG80Z8wWW3u7OFtLyneeV-AD9pTy38-Fl272to3Ld_8PyENjygbxRi8Nqkm0ZKIt3B-lqCnzzhNuGMI8se7iX5F53W4GEbfUC-gt6QjRk84L_1GDVkTeR0H0o-OSHw?testcase_id=6511798518022144 Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6511798518022144 Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: XFACodecFuzzer::Reader::ReadBlock tiff_read TIFFFetchDirectory Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887 Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XThBT7d2VPp6iSCoPcJFRZk105vJvpG80Z8wWW3u7OFtLyneeV-AD9pTy38-Fl272to3Ld_8PyENjygbxRi8Nqkm0ZKIt3B-lqCnzzhNuGMI8se7iX5F53W4GEbfUC-gt6QjRk84L_1GDVkTeR0H0o-OSHw?testcase_id=6511798518022144 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 12 2016
ClusterFuzz has detected this issue as fixed in range 400121:400191. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5119849126952960 Fuzzer: libfuzzer_pdf_codec_png_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Negative-size-param Crash Address: Crash State: Reader::ReadBlock _tiff_read TIFFClientOpen Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398287:398366 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400121:400191 Minimized Testcase (0.00 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97EYWO6_3ZMxKY2FxCystNAHk967nBY1XROfPT7JwBOnJDkA_8l8ZaYGngp_ompqp7HOmtlZ5sIupByotkOXaWxhWIKdmSlzDMMHY9IIvGuuLF5Q2lnqFwbf2F1z52855FuVSKtaXpCMDGg1gJfX_TZfl16Mg?testcase_id=5119849126952960 PE+ See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 12 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 13 2016
,
Oct 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 10 2016