Integer-overflow in bmp_read_header |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6169411841163264 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9769C0AsxoEP39kCkrNYoc3k73mH5VoVpXtJcj9Aj1uV_YT2qugqbZCBS--A2JWJn8GKkdW9aRZ2K6zw6Jec12GTsU5PcOU8uJl1TjLd0ClTDKDvmbZLVasG2ll_dW9N9OE9YPCdy1MjfzfR-O6S_Y9cc3nog?testcase_id=6169411841163264 Filer: ajha See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5197841089953792 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Minimized Testcase (0.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv963It7acGrRfrhsfiq4J5IpF-fJg_Noyx5kS9Z1IlOq4pG-YdnlfbMnq_vTUagUYxDlFOVlDdIegMKHNFylkJPXyXzBzW_vNvj5JeozPIwaspFcVXhvZbQANv1R6Wr8vJriCfWsRLvqepndVCbwSevdeJ1JeA?testcase_id=5197841089953792 Filer: rnimmagadda See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
Gentle Ping. @hong_zhang: Could you please provide some update on this issue. Thank you.
,
Jul 29 2016
Gentle Ping. @hong_zhang: Could you please provide some update on this issue. Thank you.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453271:453317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5197841089953792 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453271:453317 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94N1FvKeGmBJMMwDtfed_BCKHDht7PF9hZ70hBBdMzTW9QS7waG2j26ra7oeks5Jzphv0POfiQaNoCrVpVaXqTznFPk8hYLJpVTjtpzQcSh6zP5juW_UvFKVuJoL1dW6YJo8lVURYMgTbPBcv6li4oxYq09sv2RdSqgrnlvI1Q3Ob9TzJt5B2_maqHOhdiDglYU7s-JWY3gURgphRIfWBdkXcmAUmgsi744E4xh4-DoRQwliA6bGHWPtymucAmoulv0kJ84o2n0q6ZAJkGwV2HGYB-LayleD3U8ANQfCKEzR-pn24_HmdUWCEEPAAAVCTDs1eBoBr-8RTi13ZBCroFYrnyHVExSTd2QdvCkOa1LAgDnXyw?testcase_id=5197841089953792 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz has detected this issue as fixed in range 453271:453317. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6169411841163264 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453271:453317 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96eHveSj6aHSjR4Pd1K1FdV7k8PiY-AvgyPt7inl4766af80zgBP-Fi4Ma3CuUbnXAqwjOCCJfSPzm-eGBB_1WDLNsNpUKwbQNA8MVLEeNTTmRKHXZnbeewsn_07nLl4Ue5eopflGyJLjxOAo1h5UDjdqbMKw-eVTaO32NYA-64Tl9c6ejeb95KITWL9FBobWJqOQtUOzMM5ClvoX4Ei8uzyhb0grHTY4_DEK-EWvWl-l7GOgaWU8N4ANkQiaMOk2SNUZMatcBXXnOEyWYP1a-EbiCdBrB9-of3F8fhsch3sfPiRwNOJdLq76yyNzuowmeSd796uA7P6nnH5mc14wCmlnn7XD0xd0DO8yysMk-8gRQKWyQ?testcase_id=6169411841163264 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 28 2017
ClusterFuzz testcase 5197841089953792 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 1 2017
,
Mar 1 2017
,
Mar 7 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c commit 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c Author: Nicolas Pena <npm@chromium.org> Date: Tue Mar 07 16:35:45 2017 Limit BMP width to avoid overflows BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as large as 32, to avoid this overflowing we need width <= 67108863. BUG= chromium:628559 Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d Reviewed-on: https://pdfium-review.googlesource.com/2934 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c/core/fxcodec/lbmp/fx_bmp.cpp [modify] https://crrev.com/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c/core/fxcodec/lbmp/fx_bmp.h
,
Mar 7 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c commit 3522b43b2fe7126fa9c437aad02eb88dfc4dd38c Author: Nicolas Pena <npm@chromium.org> Date: Tue Mar 07 16:35:45 2017 Limit BMP width to avoid overflows BMP_WIDTHBYTES starts with: (width * bitCount) + 31. Since bitCount can be as large as 32, to avoid this overflowing we need width <= 67108863. BUG= chromium:628559 Change-Id: I4fd33b65da76225c8200a22380f2bfc4523c5c8d Reviewed-on: https://pdfium-review.googlesource.com/2934 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> [modify] https://crrev.com/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c/core/fxcodec/lbmp/fx_bmp.cpp [modify] https://crrev.com/3522b43b2fe7126fa9c437aad02eb88dfc4dd38c/core/fxcodec/lbmp/fx_bmp.h
,
Mar 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a60dc6370942b54087fafd03ef204d2b8e1949db commit a60dc6370942b54087fafd03ef204d2b8e1949db Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Tue Mar 07 20:01:15 2017 Roll src/third_party/pdfium/ fc9b9880c..3522b43b2 (1 commit) https://pdfium.googlesource.com/pdfium.git/+log/fc9b9880c79b..3522b43b2fe7 $ git log fc9b9880c..3522b43b2 --date=short --no-merges --format='%ad %ae %s' 2017-03-07 npm Limit BMP width to avoid overflows Created with: roll-dep src/third_party/pdfium BUG= 628559 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2735203002 Cr-Commit-Position: refs/heads/master@{#455185} [modify] https://crrev.com/a60dc6370942b54087fafd03ef204d2b8e1949db/DEPS
,
Mar 8 2017
ClusterFuzz has detected this issue as fixed in range 455079:455198. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6169411841163264 Fuzzer: libfuzzer_pdf_codec_bmp_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: bmp_read_header CCodec_BmpModule::ReadHeader CCodec_ProgressiveDecoder::DetectImageType Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=400697:402043 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=455079:455198 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96eHveSj6aHSjR4Pd1K1FdV7k8PiY-AvgyPt7inl4766af80zgBP-Fi4Ma3CuUbnXAqwjOCCJfSPzm-eGBB_1WDLNsNpUKwbQNA8MVLEeNTTmRKHXZnbeewsn_07nLl4Ue5eopflGyJLjxOAo1h5UDjdqbMKw-eVTaO32NYA-64Tl9c6ejeb95KITWL9FBobWJqOQtUOzMM5ClvoX4Ei8uzyhb0grHTY4_DEK-EWvWl-l7GOgaWU8N4ANkQiaMOk2SNUZMatcBXXnOEyWYP1a-EbiCdBrB9-of3F8fhsch3sfPiRwNOJdLq76yyNzuowmeSd796uA7P6nnH5mc14wCmlnn7XD0xd0DO8yysMk-8gRQKWyQ?testcase_id=6169411841163264 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 13 2017
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/4ca5ba4dec653aff28d14c9f48715e93e8dfd490 commit 4ca5ba4dec653aff28d14c9f48715e93e8dfd490 Author: Nicolas Pena <npm@chromium.org> Date: Mon Mar 13 19:59:38 2017 Fix boundary value negation in bmp_read_header When the value read is equal to -INT_MIN, we cannot negate it since it will be out of bounds, so return error in this case. BUG= chromium:628559 Change-Id: I7e47a71ef0d35cfb2d1fddc0ba644f9aac79ec3f Reviewed-on: https://pdfium-review.googlesource.com/2965 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org> [modify] https://crrev.com/4ca5ba4dec653aff28d14c9f48715e93e8dfd490/core/fxcodec/lbmp/fx_bmp.cpp
,
Mar 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ead4ab4ffb0784d727e827d901d708b38a1cefe1 commit ead4ab4ffb0784d727e827d901d708b38a1cefe1 Author: pdfium-deps-roller <pdfium-deps-roller@chromium.org> Date: Mon Mar 13 23:26:31 2017 Roll src/third_party/pdfium/ 9818dc150..4ca5ba4de (5 commits) https://pdfium.googlesource.com/pdfium.git/+log/9818dc150132..4ca5ba4dec65 $ git log 9818dc150..4ca5ba4de --date=short --no-merges --format='%ad %ae %s' 2017-03-13 npm Fix boundary value negation in bmp_read_header 2017-03-13 dsinclair Add utf-8 flag to win build. 2017-03-10 thestig Make most PDFium code pass Clang plugin's auto raw check. 2017-03-13 npm Fix some nits in fx_codec_fax 2017-03-13 npm Check run lengths in FaxG4GetRow Created with: roll-dep src/third_party/pdfium BUG= 628559 , 699340 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, see: http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls TBR=dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2749553004 Cr-Commit-Position: refs/heads/master@{#456539} [modify] https://crrev.com/ead4ab4ffb0784d727e827d901d708b38a1cefe1/DEPS
,
Mar 14 2017
Marking as fixed, both testcases don't crash locally any more. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ajha@chromium.org
, Jul 15 2016Components: Tools>Test>FindIt>NoResult
Labels: M-54 Te-Logged
Owner: hong_zh...@foxitsoftware.com
Status: Assigned (was: Available)