Issue 620771 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 616667
Owner:	█ hong_zh...@foxitsoftware.com Last visit > 30 days ago
Closed:	Jun 2016
Cc:	attek...@gmail.com
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
ReleaseBlock-Beta Reproducible Stability-Memory-AddressSanitizer External-Fuzzer-Contribution reward-ineligible M-53 Security_Impact-Head Security_Severity-High allpublic Clusterfuzz

Blocked on:
issue 616667

Heap-buffer-overflow in bmp_decode_rle4

Project Member Reported by ClusterFuzz, Jun 16 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4867572176781312

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 1
Crash Address: 0x61200000917c
Crash State:
  bmp_decode_rle4
  CCodec_BmpModule::LoadImage
  CCodec_ProgressiveDecoder::ContinueDecode
  
Recommended Security Severity: High


Minimized Testcase (11.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97kH7HQvAMhXvAdz9nNVlV1NoBnUGBXxlHhifVJgzuurjd72iiMFkUCtS1B_zGXbi2wVwOHD0G4PZ4VDgiakNbsvtq2NYPwvw3KTruo_gWr512VVfu0zRaMmWNkAyMjkuNW-R1NdhwJiFdikmfCrduAhTDwcw

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmoroz@chromium.org, Jun 16 2016

Blockedon: 616667
Components: Internals>Plugins>PDF

Looks very similar to  bug 616667 . Probably this one is duplicate.

Comment 2 by est...@chromium.org, Jun 16 2016

Owner: hong_zh...@foxitsoftware.com
Status: Assigned (was: Available)

hong_zhang could you please take a look and mark as duplicate if appropriate? Thanks.

Project Member

Comment 3 by sheriffbot@chromium.org, Jun 17 2016

Labels: M-53

Project Member

Comment 4 by sheriffbot@chromium.org, Jun 17 2016

Labels: ReleaseBlock-Beta

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 17 2016

Labels: Pri-1

Comment 6 by och...@chromium.org, Jun 17 2016

Mergedinto: 616667
Status: Duplicate (was: Assigned)

Project Member

Comment 7 by sheriffbot@chromium.org, Jun 18 2016

Labels: -reward-topanel reward-ineligible

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Project Member

Comment 9 by sheriffbot@chromium.org, May 9 2018

Labels: -Restrict-View-SecurityTeam

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 620771 link

Issue metadata

Heap-buffer-overflow in bmp_decode_rle4

Issue description

Comment 1 by mmoroz@chromium.org, Jun 16 2016

Comment 1 Deleted

Comment 2 by est...@chromium.org, Jun 16 2016

Comment 2 Deleted

Comment 3 by sheriffbot@chromium.org, Jun 17 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Jun 17 2016

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, Jun 17 2016

Comment 5 Deleted

Comment 6 by och...@chromium.org, Jun 17 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Jun 18 2016

Comment 7 Deleted

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, May 9 2018

Comment 9 Deleted

Sign in to add a comment