New issue
Advanced search Search tips

Issue 624514 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in CWeightTable::Calc

Project Member Reported by ClusterFuzz, Jun 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4580419215556608

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7fb7dcdfc004
Crash State:
  CWeightTable::Calc
  CStretchEngine::StartStretchHorz
  CFX_ImageStretcher::StartStretch
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893

Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96K80q4u40O_HAo6b2Cg0D1rYfwb3ORucxXErxkKgVG-2eRiC8D1TqoAl7OGqkQ8upW9xDQXzg1EKfE3g-UftF3EnjQcnjV-mTlK0x8Ln20ToSQ5sHyRaN19pEB6tlcxSGhRkgm2E_UGXQP1pxm4tN6q3kgKg?testcase_id=4580419215556608

Filer: aarya

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by palmer@chromium.org, Jun 29 2016

Cc: tsepez@chromium.org
Components: Internals>Plugins>PDF
Labels: M-53 OS-Android OS-Chrome OS-Mac OS-Windows
Owner: thestig@chromium.org
Status: Assigned (was: Available)
thestig: Could you please handle this or re-assign it to someone who can? Thank you!
Well, I tried fixing the indexing to be more sane, but now some images don't display correctly. I'll keep looking.
Project Member

Comment 3 by ClusterFuzz, Jun 30 2016

ClusterFuzz has detected this issue as fixed in range 398351:398496.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4580419215556608

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 4
Crash Address: 0x7fb7dcdfc004
Crash State:
  CWeightTable::Calc
  CStretchEngine::StartStretchHorz
  CFX_ImageStretcher::StartStretch
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393856:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398351:398496

Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96K80q4u40O_HAo6b2Cg0D1rYfwb3ORucxXErxkKgVG-2eRiC8D1TqoAl7OGqkQ8upW9xDQXzg1EKfE3g-UftF3EnjQcnjV-mTlK0x8Ln20ToSQ5sHyRaN19pEB6tlcxSGhRkgm2E_UGXQP1pxm4tN6q3kgKg?testcase_id=4580419215556608

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jun 30 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 30 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ClusterFuzz-Verified ClusterFuzz-Wrong Pri-2
Status: Assigned (was: Verified)
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 2 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 2 2016

Labels: -Pri-2 Pri-1

Comment 9 by gov...@chromium.org, Jul 14 2016

M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 16 2016

thestig: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 13 by sheriffbot@chromium.org, Jul 21 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Labels: -Security_Impact-Beta Security_Impact-Head
ReleaseBlock-Stable after discussion with thestig@
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 22 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 30 2016

thestig: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Started (was: Assigned)
https://codereview.chromium.org/2204773003/
M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.
Status: Fixed (was: Started)
Will request the merge on Monday.
Project Member

Comment 22 by sheriffbot@chromium.org, Aug 7 2016

Labels: Merge-Request-53

Comment 23 by dimu@chromium.org, Aug 7 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Cc: awhalley@chromium.org
+awhalley@, is this good to take in for this week M53 Beta release?
Yep, good for M53, along with the other bugs bugs that have a PDFium roll: 624514, 628304, 628890
Labels: -Merge-Review-53 Merge-Approved-53
Approving merge to M53 branch 2785 based on comment #25. Please merge ASAP (latest by tomorrow, Tuesday 3:00 PM PT) so we can take it in for this week beta release.
Project Member

Comment 27 by bugdroid1@chromium.org, Aug 9 2016

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/205c3faca7f4c678fddf6e3811ec6fe9b0fd7031

commit 205c3faca7f4c678fddf6e3811ec6fe9b0fd7031
Author: Oliver Chang <ochang@google.com>
Date: Tue Aug 09 16:01:16 2016

Labels: -Merge-Approved-53 merge-merged-2785
Labels: -Hotlist-Merge-review -ReleaseBlock-Stable
Labels: -reward-topanel reward-unpaid reward-undefined
Labels: -reward-undefined reward-3500
$3,500 for this one - good to see the fuzzer churning out great bugs.  Thanks.
Labels: reward_to-attekett_at_gmail.com
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 35 by sheriffbot@chromium.org, Nov 11 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment