New issue
Advanced search Search tips

Issue 621836 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Negative-size-param in XFACodecFuzzer::Reader::ReadBlock

Project Member Reported by ClusterFuzz, Jun 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5428087538057216

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95uEziqRXzB6Wnoy0J3_gv-uEF3Z3V7GRzlmEh6i62JKf-H2Ien_a4xntNDFfpW5pTMGib9BAgyD7WeN22adbXy29oEfNwJsD_27onAk_v58yTswY08vjLtJeXMt3hGwjQq9Tdey-KYBsiTWOxHkGTiNUNq-Q?testcase_id=5428087538057216
PE+


Additional requirements: Requires Gestures

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by mmoroz@chromium.org, Jun 21 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org och...@chromium.org
Components: Internals>Plugins>PDF
Looks similar to  bug 618295 , but stacktrace differs and this one is reproducible while 618295 looks fixed.
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 21 2016

Labels: Pri-2
Project Member

Comment 3 by ClusterFuzz, Jun 23 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6224577244168192

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadRawStrip1
  

Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95U3aOA1BB4gCY2cMm9T2auw-X1e8y5wp1A7cSuFJA9UzdIKh9nAIUuGZW3JsNVNdo_3UC4gJo6TTNQa-IF5cEJ4Y-FR_Hji19or3FoGYpTGB4j9DrbvIs53QnGc6-6qTSfPsO3h0w6r2ASwyt_kMFQ85FDGA?testcase_id=6224577244168192

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 4 by ClusterFuzz, Jul 6 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5428087538057216

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95uEziqRXzB6Wnoy0J3_gv-uEF3Z3V7GRzlmEh6i62JKf-H2Ien_a4xntNDFfpW5pTMGib9BAgyD7WeN22adbXy29oEfNwJsD_27onAk_v58yTswY08vjLtJeXMt3hGwjQq9Tdey-KYBsiTWOxHkGTiNUNq-Q?testcase_id=5428087538057216
PE+


Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jul 6 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4650122592124928

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95cFPt9n8oVkfAakaK7g7H6_FmEeDP7Ko9aWHbmAjrLklEuC5wbIqH6tpDh9HYS4UAyVPOk6tANKkavXNuAoO9oP86CM98vnd9s-BQE9XD7j24SwnB8OjvcZaMfU-Om8WOs6AlTSCxjAekgE045qWBsDyFsfQ?testcase_id=4650122592124928


Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 6 by ClusterFuzz, Jul 8 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4650122592124928

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95cFPt9n8oVkfAakaK7g7H6_FmEeDP7Ko9aWHbmAjrLklEuC5wbIqH6tpDh9HYS4UAyVPOk6tANKkavXNuAoO9oP86CM98vnd9s-BQE9XD7j24SwnB8OjvcZaMfU-Om8WOs6AlTSCxjAekgE045qWBsDyFsfQ?testcase_id=4650122592124928


Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 7 by ClusterFuzz, Jul 8 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004654010007552

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  OJPEGReadHeaderInfoSecTablesDcTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (2.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94YCKrjZDDZRdhRNBuL0X0KgpCIoCXt_MJHmx3pJZDKXWV3DiqTURLGx-o7O9g0Vf_SWk9H4oZ2syFCrgHkk7oj3BR1bdlz-tKrpFTahSVRhrUyRM2V1UsiNElxD3x7L0Lh3b56q-y9QBUAxHfHQ2H7ku8etQ?testcase_id=6004654010007552

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 8 by ClusterFuzz, Jul 12 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5117301301182464

Fuzzer: afl_pdf_codec_tiff_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFFetchDirectory
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96F739rCa6pEWQOrw6NUrBSpLCuUwjjM1slAm9_Ltrd7n6rfmT0aiBqUzMY1ypbF-z-ZGjdsqYcybqvVFVC_PccgMnsjBZ_KU6RqfPZNII8ZkLwIbaaGiFbMHoPn6qZsIJ0UCvxdU5-UW-FNQjkPMWhX1nwpQ?testcase_id=5117301301182464

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 9 by mmoroz@chromium.org, Jul 12 2016

Labels: Stability-AFL
Project Member

Comment 10 by ClusterFuzz, Jul 13 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5294541129383936

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFFetchDirectory
  

Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94PJCK0ucNfmr0FFvFq_gut1YVMgT2WXKzh8id1bd_2sBYsaqWDBT4_2sxnc3TCE9uCFW80qItzcTbvP7yw0d8G3EGqPPyqcPWO9plDx-3LXxqVvdoZ9wQruWYkdoER0lKj9GsnqNnK1K9SpyfIEU1Twm2uHw?testcase_id=5294541129383936

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 11 by ClusterFuzz, Jul 31 2016

ClusterFuzz has detected this issue as fixed in range 408535:408588.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5294541129383936

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFFetchDirectory
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408535:408588

Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96GXIRIYWI2E9XNhurxLxgEIRYTi6FeoTCG1OU34sQjyOgRkN6VwJQcNVGEYei8CJGOmMfbKPuICHmFDl5N2XFqV6WkOkJvlzQ0FTxIxquw9d9wt8EOrBBO6uN4hgfegsKwWc8k48eq9mxA-E_i9SVABXgGFQ?testcase_id=5294541129383936

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jul 31 2016

ClusterFuzz has detected this issue as fixed in range 408652:408744.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6224577244168192

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadRawStrip1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408652:408744

Minimized Testcase (0.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97qfrtizUl0sPovnyp8yYGW13xQdwZ_QiAfM7OoRTKiP6ByLwtwdSin2WZ4u4_DXPFkYFYEyz5QXLSqiLWIuJc8vmOn7Lj0u3b67onNtBI8dyvNKQewfPXZm7htAe9cCHDX7PCxRTSqsy6Wdf_JdLMCEiGFoQ?testcase_id=6224577244168192

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Jul 31 2016

ClusterFuzz has detected this issue as fixed in range 408389:408457.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004654010007552

Fuzzer: pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  OJPEGReadHeaderInfoSecTablesDcTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408389:408457

Minimized Testcase (2.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96FoDmKi8QMT00kSXWFMmPfoH2vouzomECq89mbAA5XM78Z4B53gq_FTVtZxsswd9ryoPrappUpv80nZLddiFc6esWzCikCyEEqSGwOdfQRuMPNI98TK8UnOVajlFM0bVkJ9KZi23lHdFEb3Y7tQR8j1Ltc2A?testcase_id=6004654010007552

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6497264602447872

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadRawStrip1
  

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94PAXsdzqGaLJYTDJ-as1xGvcnxxCTD69BIXIaYajxskDaP2MFX0MLWDsJwkcs1X9spYrjHPrVBUIGgLZZ_4LtZuLzg6kP-GhopLcO9f77TxLqcJkdeMqUsoRJ-WNceWv4RrIjdsZrai0ilfbypEbLD4ny4LA?testcase_id=6497264602447872

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 15 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5300222857314304

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  OJPEGReadHeaderInfoSecTablesAcTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sy_nvY77B6woFPdBK7Ohk8BB9JvdX58K2Zc3EkisTWoNMviOQnKUiLnwwRfYtD6z8XqsA2ew8Q0Rvh2Thy27CPdvgTMKTbVgRty3JKOI7iamHZQzfF40f1e9SQS4mrVu3I1HqI9buXGr10ceOOnNkYVOGzw?testcase_id=5300222857314304

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 16 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5319734046490624

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryArray
  

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96PSOSoLgd1AIiw0KbA7GTjADyDpVbUsMgi01_LuobOgsFWbL2MsTzRo6K4U_ZubAnFo7Fkxl88Xe5V5PpupongOSMlVQbs--XbTV-5cJAVTmcn6dezdcvRzt7saESg7VeAk5Mr56YHNmrZrxLKkzHgGbWcDQ?testcase_id=5319734046490624

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 17 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6566087502331904

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryCheckedRational
  

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96AWwjwV-CTQ6VwxqOFPpigkfctjLM179vUMj806ScRRL7P7NiSV4b0HM2y5EGdU-OAUvmwinRma2MLhJTT8tH_defDNf7ekhJSApnlLXaNkv0LjTSgX7FJP9Dit3OwOATO4F8TdhfR1B3p3SSNfiRrkmuKvg?testcase_id=6566087502331904

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 18 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6539686187368448

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  JPEGFixupTagsSubsamplingReadByte
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171

Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xEbl79Odq1modg7x22XCRCu8a025_-ipBMWXiJZwvc_4GXXRMndqQ9gVZyZ3eTF16QMokY7kXsonY_VbW_bMfsxTilkv8RVsZJ-ETMmQh0h445Wcos-egZbLJvDD76N3QYHfwAxbcf51f0Q1BlJyYoPrmfA?testcase_id=6539686187368448

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 19 by ClusterFuzz, Sep 1 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059975384498176

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=409160:409173

Minimized Testcase (1.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97J1YO8bhUOpMsg7jaJmY449CXtdRqW4xfTPR7Nn4ChZn52L-yUMw8KJboZxqlDM-toVi0cwde4XtEhDrzu33HFmfY7YB8bCXKSrwMMTqFLxhZ78rpfJ3Whoz7-YlOIVftXRI94uQDof490Tgz6Z14EJGePXA?testcase_id=6059975384498176

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 20 by ClusterFuzz, Sep 1 2016

Project Member

Comment 21 by ClusterFuzz, Sep 1 2016

Project Member

Comment 22 by ClusterFuzz, Sep 3 2016

ClusterFuzz has detected this issue as fixed in range 410288:412598.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6497264602447872

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadRawStrip1
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=410288:412598

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94PAXsdzqGaLJYTDJ-as1xGvcnxxCTD69BIXIaYajxskDaP2MFX0MLWDsJwkcs1X9spYrjHPrVBUIGgLZZ_4LtZuLzg6kP-GhopLcO9f77TxLqcJkdeMqUsoRJ-WNceWv4RrIjdsZrai0ilfbypEbLD4ny4LA?testcase_id=6497264602447872

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 23 by ClusterFuzz, Sep 3 2016

ClusterFuzz has detected this issue as fixed in range 410288:412598.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6566087502331904

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryCheckedRational
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=410288:412598

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96AWwjwV-CTQ6VwxqOFPpigkfctjLM179vUMj806ScRRL7P7NiSV4b0HM2y5EGdU-OAUvmwinRma2MLhJTT8tH_defDNf7ekhJSApnlLXaNkv0LjTSgX7FJP9Dit3OwOATO4F8TdhfR1B3p3SSNfiRrkmuKvg?testcase_id=6566087502331904

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 24 by ClusterFuzz, Sep 3 2016

ClusterFuzz has detected this issue as fixed in range 410288:412598.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5319734046490624

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryArray
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=410288:412598

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96PSOSoLgd1AIiw0KbA7GTjADyDpVbUsMgi01_LuobOgsFWbL2MsTzRo6K4U_ZubAnFo7Fkxl88Xe5V5PpupongOSMlVQbs--XbTV-5cJAVTmcn6dezdcvRzt7saESg7VeAk5Mr56YHNmrZrxLKkzHgGbWcDQ?testcase_id=5319734046490624

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: -kcc@chromium.org -mmoroz@chromium.org -och...@chromium.org -aizatsky@chromium.org thestig@chromium.org
Labels: -Pri-2 -Security_Severity-Low Security_Severity-Medium Pri-1
Owner: dsinclair@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 26 by sheriffbot@chromium.org, Oct 3 2016

dsinclair: Uh oh! This issue still open and hasn't been updated in the last 104 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 27 by sheriffbot@chromium.org, Oct 3 2016

Labels: M-55
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 3 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
inferno@ the XFA code is currently disabled on all Chromium branches. There should be no security impact to a shipping browser.
Labels: -ReleaseBlock-Beta
Removing ReleaseBlock-Beta as XFA is not enabled in beta.
Status: Started (was: Assigned)
https://codereview.chromium.org/2386343002/
Project Member

Comment 32 by sheriffbot@chromium.org, Oct 4 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -ReleaseBlock-Beta
Please stop adding Release-Block-Beta. XFA is not enabled in any branch of chromium so this should not block release.

Comment 34 by aarya@google.com, Oct 4 2016

Labels: ReleaseBlock-NA
Need to add ReleaseBlock-NA
Status: Fixed (was: Started)
Project Member

Comment 36 by bugdroid1@chromium.org, Oct 4 2016

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium.git/+/fb403875dd1bbf830d9325f10e6a5650db30c6fd

commit fb403875dd1bbf830d9325f10e6a5650db30c6fd
Author: dsinclair <dsinclair@chromium.org>
Date: Tue Oct 04 19:38:18 2016

Make sure the fuzzer read size does not go negative.

When fuzzing the image formats, its possible to get a read request which
would go negative. Handle the request and return FALSE for the read.

BUG= chromium:621836 

Review-Url: https://codereview.chromium.org/2386343002

[modify] https://crrev.com/fb403875dd1bbf830d9325f10e6a5650db30c6fd/testing/libfuzzer/xfa_codec_fuzzer.h

Project Member

Comment 37 by bugdroid1@chromium.org, Oct 4 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d1a865bae59d61b2cf626efa124b688d7d63b2a2

commit d1a865bae59d61b2cf626efa124b688d7d63b2a2
Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org>
Date: Tue Oct 04 22:14:32 2016

Roll src/third_party/pdfium/ 89f9ee3b8..98151cab3 (10 commits).

https://pdfium.googlesource.com/pdfium.git/+log/89f9ee3b8f3b..98151cab3d24

$ git log 89f9ee3b8..98151cab3 --date=short --no-merges --format='%ad %ae %s'
2016-10-04 dsinclair Cleanup DEPS files
2016-10-04 dsinclair Fix fuzzer paths
2016-10-04 npm Avoid crashing on CPDF_ToUnicodeMap::Load by using ValueOrDefault()
2016-10-04 dsinclair Make sure the fuzzer read size does not go negative.
2016-10-04 dsinclair Move core/fpdfapi/fpdf_render to core/fpdfapi/render
2016-10-04 dsinclair Move core/fpdfapi/fpdf_parser to core/fpdfapi/parser
2016-10-04 dsinclair Move core/fpdfapi/fpdf_page to core/fpdfapi/page
2016-10-04 dsinclair Move core/fpdfapi/fpdf_font to core/fpdfapi/font
2016-10-04 dsinclair Move core/fpdfapi/fpdf_edit to core/fpdfapi/edit
2016-10-04 dsinclair Move core/fpdfapi/fpdf_cmaps to core/fpdfapi/cmaps

BUG= 621836 

TBR=dsinclair@chromium.org

Review-Url: https://codereview.chromium.org/2393643003
Cr-Commit-Position: refs/heads/master@{#422958}

[modify] https://crrev.com/d1a865bae59d61b2cf626efa124b688d7d63b2a2/DEPS

Project Member

Comment 38 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 39 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422880:422991.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6539686187368448

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  JPEGFixupTagsSubsamplingReadByte
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=398366:399171
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422880:422991

Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xEbl79Odq1modg7x22XCRCu8a025_-ipBMWXiJZwvc_4GXXRMndqQ9gVZyZ3eTF16QMokY7kXsonY_VbW_bMfsxTilkv8RVsZJ-ETMmQh0h445Wcos-egZbLJvDD76N3QYHfwAxbcf51f0Q1BlJyYoPrmfA?testcase_id=6539686187368448

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 40 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422882:422996.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6245814586572800

Fuzzer: afl_pdf_codec_tiff_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=422882:422996

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WX56uVJctT5OhX_jlwevg4kd2Av5Ymtkk1mjBtizaly0P2F0qp569H8UyVyCM6LO8R94ta-w6z0-ScvbcjntaFU-UhDqTzFTQbkMKkutbfOPEWE6y20ESrtXQHF8hWYwXQuQFPgjHc3o1ybd2kKZTtp-v6w?testcase_id=6245814586572800

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 41 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422880:422991.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059975384498176

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFReadDirEntryData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=409160:409173
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422880:422991

Minimized Testcase (1.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97J1YO8bhUOpMsg7jaJmY449CXtdRqW4xfTPR7Nn4ChZn52L-yUMw8KJboZxqlDM-toVi0cwde4XtEhDrzu33HFmfY7YB8bCXKSrwMMTqFLxhZ78rpfJ3Whoz7-YlOIVftXRI94uQDof490Tgz6Z14EJGePXA?testcase_id=6059975384498176

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 42 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422882:422996.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5117301301182464

Fuzzer: afl_pdf_codec_tiff_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFFetchDirectory
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=422882:422996

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96hvZLS0OiVvTjcHWd5LN9iHpbjawWSkRUlJDXiQnfe7rXInDf0_a8MkbaK31cwSOaCRB9juD1nc6wv32Z1ksC8Mn3Hbf1Ih8EJqJcFETEwuZry9ns67Fm8iC5p2bHn20aLAIpJMvx9D1ivGjJRwTgQTGkg8w?testcase_id=5117301301182464

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 43 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422880:422991.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5300222857314304

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  OJPEGReadHeaderInfoSecTablesAcTable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=400757:400887
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422880:422991

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sy_nvY77B6woFPdBK7Ohk8BB9JvdX58K2Zc3EkisTWoNMviOQnKUiLnwwRfYtD6z8XqsA2ew8Q0Rvh2Thy27CPdvgTMKTbVgRty3JKOI7iamHZQzfF40f1e9SQS4mrVu3I1HqI9buXGr10ceOOnNkYVOGzw?testcase_id=5300222857314304

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 44 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422882:422996.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723330720727040

Fuzzer: afl_pdf_codec_tiff_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFFetchDirectory
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=402185:402404
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=422882:422996

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94KCkfaBRW9s4O5T1n7Dxmof5mkWRzDfWAftzuACxhEyzEIafCk0DpNwM7L8k04LcExBzgroTE-yQY_VVlVRxlLNVvuJT57ElpfhFzzGAsxLaFCbCeIMVomT-W4U9IigfYqMCoL-TwGhkro60d6dskuZ_t1Lg?testcase_id=4723330720727040

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 45 by ClusterFuzz, Oct 5 2016

ClusterFuzz has detected this issue as fixed in range 422880:422991.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4650122592124928

Fuzzer: libfuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Negative-size-param
Crash Address: 
Crash State:
  XFACodecFuzzer::Reader::ReadBlock
  tiff_read
  TIFFClientOpen
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422880:422991

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97rzu5xSDyAJJ9BzvMzmJAVLBs1QZn2WCmETlsdEGmqoA6TWVNBI87-51icAezxcwZruVC3VK1IweoI3qtHcDtUKICKv6eipnOEQzgSAt5z3koEj4Mmj5SNpW33AWpDOjnqQfL0kgJWKMyuU6UIvMvaGxE42Q?testcase_id=4650122592124928
PE+


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 46 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment