New issue
Advanced search Search tips

Issue 635473 link

Starred by 1 user
Status: Fixed
Owner:
dsinclair@chromium.org
Closed: Aug 2016
Cc:
ajha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Integer-overflow in FX_RECT::Height

Project Member Reported by ClusterFuzz, Aug 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6053264783310848

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  FX_RECT::Height
  CFX_RenderDevice::DrawPathWithBlend
  CPDF_RenderStatus::ProcessPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=399086:399117

Minimized Testcase (2855.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974Pz3ORdAavnIs4TNt_0P4f-6yHuJUpYhmvpXE9KyZ-zKrFKV44dM-cuQ4iRZJabNPM_EgOpqvG7EjbxxnB31oyfGY-DSHy2ydkAgZNvzD2a_qf2NTPcjq-AiZRQQTGACwsTxmi-4AyNL8ezV4iWbZu9iuWd29wKK_9lt9vbi8ip_nC7Q?testcase_id=6053264783310848

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Aug 8 2016

Cc: ajha@chromium.org
Components: Internals>Plugins>PDF
Labels: Te-Logged M-53
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)
Findit result:
==============
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/d5e7b355b8c4c22ff770547797cbc536bdc95d5b
Time: Mon Feb 29 11:24:29 2016 -0800
The CL last changed line 150 of file fx_coordinates.h, which is stack frame 0.

Author: Nico Weber
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/9d8ec5a6e37e8d1d4d4edca9040de234e2d4728f
Time: Tue Aug 04 13:00:21 2015 -0700
The CL last changed line 194 of file fx_ge_device.cpp, which is stack frame 1.

Author: tsepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/7d2a8d966643ebc77c1aa0f0c53a0ffd2d681c4c
Time: Wed Jun 08 11:51:23 2016 -0700
The CL last changed line 493 of file fpdf_render.cpp, which is stack frame 2.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 344 of file fpdf_render.cpp, which is stack frame 3.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 306 of file fpdf_render.cpp, which is stack frame 4.

Author: Dan Sinclair
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/764ec513eecbebd12781bcc96ce81ed5e736ee92
Time: Mon Mar 14 13:35:12 2016 -0400
The CL last changed line 1053 of file fpdf_render.cpp, which is stack frame 5.

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/b3b67620b9db518558f2912357581b600645ce68
Time: Mon Oct 19 16:20:03 2015 -0700
The CL last changed line 905 of file fpdfview.cpp, which is stack frame 6.

Suspected Project: chromium-pdfium
===============================================

None of suspected CL from the above find it result looks related.

Assigning to tsepez@[chromium//src/third_party/pdfium/OWNERS] for further investigation of this.

Comment 2 by dsinclair@chromium.org, Aug 8 2016

Owner: dsinclair@chromium.org
I'll see if I can triage this.

Comment 5 by dsinclair@chromium.org, Aug 9 2016

Status: Fixed (was: Assigned)
This should be fixed and showup with the next PDFium roll.
Project Member

Comment 6 by bugdroid1@chromium.org, Aug 10 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ef20e8a91861a81b5c67efb20b337683ee51c17

commit 9ef20e8a91861a81b5c67efb20b337683ee51c17
Author: thestig <thestig@chromium.org>
Date: Wed Aug 10 02:41:20 2016

Roll PDFium b6befb2..85af2a3

https://pdfium.googlesource.com/pdfium.git/+log/b6befb2..85af2a3

BUG= 62625 , 635473 
TBR=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2232643002
Cr-Commit-Position: refs/heads/master@{#410928}

[modify] https://crrev.com/9ef20e8a91861a81b5c67efb20b337683ee51c17/DEPS
Project Member

Comment 7 by ClusterFuzz, Aug 11 2016 

ClusterFuzz has detected this issue as fixed in range 410916:411073.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6053264783310848

Fuzzer: ochang_search_index_mutator
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  FX_RECT::Height
  CFX_RenderDevice::DrawPathWithBlend
  CPDF_RenderStatus::ProcessPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=399086:399117
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=410916:411073

Minimized Testcase (2855.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv974Pz3ORdAavnIs4TNt_0P4f-6yHuJUpYhmvpXE9KyZ-zKrFKV44dM-cuQ4iRZJabNPM_EgOpqvG7EjbxxnB31oyfGY-DSHy2ydkAgZNvzD2a_qf2NTPcjq-AiZRQQTGACwsTxmi-4AyNL8ezV4iWbZu9iuWd29wKK_9lt9vbi8ip_nC7Q?testcase_id=6053264783310848

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment