New issue
Advanced search Search tips

Issue 635438 link

Starred by 1 user
Status: Fixed
Owner:
thestig@chromium.org
Closed: Aug 2016
Cc:
ajha@chromium.org
dsinclair@chromium.org
och...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in TT2PDF

Project Member Reported by ClusterFuzz, Aug 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5750325573320704

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TT2PDF
  CPDF_SimpleFont::LoadCharMetrics
  CPDF_SimpleFont::GetCharBBox
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=409458:409520

Minimized Testcase (723.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-axa4suREs1vbC5vW5Y9Q5Y4lwSm999rmjvc-V_y0LptqcObN5ONPuzHX7Yvj_y7Sfjhm9aI4zVWPP5YPHlYWrL7NNwXuc-3Qw5t1djQ57N9W6BtQ6tNuocKlnt9nQh1IhjAYiYUYL5bdn55Q6Ik3mbKfdvq1xeoOwjAArlYL9YVQ8BE?testcase_id=5750325573320704

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Aug 8 2016

Cc: ajha@chromium.org
Components: Internals>Plugins>PDF
Labels: M-54 Te-Logged
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
Findit result:
==============
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 93 of file fpdf_font.cpp, which is stack frame 0.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 63 of file cpdf_simplefont.cpp, which is stack frame 1.

Author: dan sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/61b2fc718910a5ab2a75ec5026b239ff33bccfdc
Time: Wed Mar 23 19:21:44 2016 -0400
The CL last changed line 100 of file cpdf_simplefont.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/584b1e679f41a580e2b38d5534f126355c78043b
Time: Mon Mar 21 09:15:45 2016 -0400
The CL last changed line 268 of file cpdf_textobject.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1262 of file fpdf_page_parser.cpp, which is stack frame 4.

Author: thestig
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/4997b22f84307521a62838f874928bf56cd3423c
Time: Tue Jun 07 10:46:22 2016 -0700
The CL last changed line 1290 of file fpdf_page_parser.cpp, which is stack frame 5.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1525 of file fpdf_page_parser.cpp, which is stack frame 6.

Suspected Project: chromium-pdfium
========================================

None of the CLs from the above findit result looks related.

thestig@: Could you please help in investigating this further.

Thank you!

Comment 2 by dsinclair@chromium.org, Aug 15 2016

Cc: och...@chromium.org dsinclair@chromium.org
 Issue 635667  has been merged into this issue.
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/10dc6fda67bd76a43446e915b9640eb2a11f6640

commit 10dc6fda67bd76a43446e915b9640eb2a11f6640
Author: thestig <thestig@chromium.org>
Date: Mon Aug 15 20:14:54 2016

Roll PDFium d0b6ed1..1099b29

https://pdfium.googlesource.com/pdfium.git/+log/d0b6ed1..1099b29

BUG=409472,617135, 635438 , 637119 
TBR=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2249733002
Cr-Commit-Position: refs/heads/master@{#412028}

[modify] https://crrev.com/10dc6fda67bd76a43446e915b9640eb2a11f6640/DEPS

Comment 4 by thestig@chromium.org, Aug 15 2016

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Aug 17 2016 

ClusterFuzz has detected this issue as fixed in range 411957:412168.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5750325573320704

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  TT2PDF
  CPDF_SimpleFont::LoadCharMetrics
  CPDF_SimpleFont::GetCharBBox
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=409458:409520
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411957:412168

Minimized Testcase (723.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96-axa4suREs1vbC5vW5Y9Q5Y4lwSm999rmjvc-V_y0LptqcObN5ONPuzHX7Yvj_y7Sfjhm9aI4zVWPP5YPHlYWrL7NNwXuc-3Qw5t1djQ57N9W6BtQ6tNuocKlnt9nQh1IhjAYiYUYL5bdn55Q6Ik3mbKfdvq1xeoOwjAArlYL9YVQ8BE?testcase_id=5750325573320704

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment